Comment on tupd 0.6 - small bugfix
EarMaster@lemmy.world 3 months agoYou don’t have to. Absolutely not.
But: As a potential user it provides some additional features your solution lacks. I can easily fork or clone your repo and change things if I need to. If I think it benefits the project I can easily offer these changes back to you, if I don’t I can still profit from future development on your side and incorporate my changes into it. I can very easily check what has changed between two versions without relying (trusting) your changelogs or performing a manual diff.
But most importantly it is a matter of trust. Not so much trust in your intentions and the possibility of malicious code (Git won’t prevent that), but it obfuscates your code unnecessarily making it harder to continue if you at some point decide to stop maintaining it or even detect vulnerabilities as it is not easily accessible without knowing where to look for it.
S_S@lemy.lol 3 months ago
Sure it might creates some hurdles for potential contributors, and cause some discomfort for users
For the user case I believe downloading the archive or even the diff text and applying it is quite straight forward, there isn’t any more steps in that than if it was in a repo, it is another way of pulling the code, I’m pretty used to handle software this way anyway, but most people aren’t, I even doubt people would have pulled the SVN URL if I had released it on SourceForge for example, they would have downloaded the source archive from the website, so I don’t believe that the fact that I don’t upload it to a git/svn service makes it much harder for a user
It is a lot more work to setup a git repo, create an account somewhere, manage ssh keys, setting up configs, making commits, pushing code etc for me
Offers changes back to me is more a me problem, if you create a git repo and send me the patches or URL I can figure the rest out, anyone doing that can still benefit from my diff files as they can be applied to a git repository as well, or they could create two repositories (or branches), one with just my changes and one with theirs mixed in, and get full three way merge as well
For the easily checking what has changed it is quite the same thing, there is an extra step unfortunately
For the relying and trusting me all I can offer is the transparency, I don’t believe many people would notice when a project get forced pushed either, some developers might use the same directory every time to make a pull, and then it would tell them there’s a mismatch, but it is a legit concern nonetheless
I think using git solves that a bit, you would notice if something was forced pushed, as the auto-updating would fail with an error, but applying patches would also fail the same way, but that is of course a manual operation, having it in a SVN repo feels like it would produce the same problem also
SVN is probably as much of obfuscating as these files because git is what everyone uses, so it is more a problem of not using git than not using a (D)VCS I believe
Yea finding it is hard, there are a lot of other benefits with centralized social development platforms, but there was also a time before all that started, I think this community in particular is about not giving up to centralized platforms
If I ever stop the development, die, go rouge, get hacked or anything else I hope the community figures that out on their own and solves the problem then, anyone who wants should download the text diff files and/or the tar.gz files and take a few different checksums of them so they do not change maliciously at least
EarMaster@lemmy.world 3 months ago
I think you have realized that every comment here was about your decision not to use Git. I don’t think there is much more to say about this…
S_S@lemy.lol 3 months ago
Yes unfortunately most of the comments on my last post was also about me not using git and git platforms, seems very controversial.
I totally understand it, I’ve also wanted to have everything git and social development platform before when it was new
ramielrowe@lemmy.world 3 months ago
This isn’t about social platforms or using the newest-hottest tech. It’s about following industry standard practices. You act like source control is such a pain in the ass and that it’s some huge burden. And that I just don’t understand. Getting started with git is so simple, and setting up an account with a repo host is a one time thing. I find it hard to believe that you don’t already have ssh keys set up too. What I find more controversial and concerning is your ho-hum opinion on automated testing, and your belief that “most software doesn’t do it”. You’re writing software that you expect people to not only run on their infra, but also expose to the public internet. Not only that, but it also needs to protect the traffic between the server on public infra and client on private infra. There is a much higher expectation of good practices being in place. And it is clear that you are willingly disregarding basic industry standard practices.