Tim Caswell
Tim Caswell
I know that it will use the local version instead of what's in the upstream server. Perhaps this is an edge case for unpublished packages. I'll see what I can...
yeah, I saw this too. It needs some better error handling for when it can't write.
This should prompt the user to install anyway if a package fails verification.
This is mostly implemented now. There are two design issues with verifying in the client: 1. An user's ssh key may be revoked some time after they publish a package....
Since this was enabled, we are now having issues where our CI servers are hitting github's rate-limit. Since the verification doesn't buy as much as I originally thought it did,...
I was thinking that maybe a useful feature for paranoid/careful users would be a whitelist of trusted authors and only allow installing packages from those authors (and verify the signatures...
I believe this is now fixed in https://github.com/luvit/lit/pull/288 I just need to update the deployed version of lit to get the fix.
Deployed and I verified that it no longer has the bug where the http-codec would get stuck forever.
https://github.com/luvit/luvit.io/commit/d0f3940890697a0ee29f39f9558f279060edb2fb
Another idea is to put them in as `refs/tags/user/name/version/deps` where `deps` points to a hash of the deps tree in the snapshot. (though it could also point to the entire...