npm disaster unfolding
When people hear @David Thompson and I complain about what a disaster npm's packaging is, I think we get a lot of skepticism. And I can't blame people, in the sense that most users aren't seeing problems, and it's so popular, so must there really be problems?
Turns out there are really problems.
After a trademark takedown, a prominent contributor to npm took down many of his packages. (Discussion on Reddit and on HN.) But it might be a lot worse: demonstration of easy hijackability has been shown (though maybe this particular one is not so bad, the situation is certainly bad).
Kind of relatedly, it looks like Guix may get npm packaging importing this summer through GSoC; there is at least one promising proposal, so I guess we'll see.
In a sense, Guix also has some risk in case someone takes down a source package. Guix has a cache of packages on Hydra, so it's unlikely we'll totally lose things entirely for current packages, but for older versions of Guix, history may bitrot away.
Content addressed storage may be the right and necessary answer indeed.