this post was submitted on 14 May 2025
321 points (99.4% liked)
Programming
20182 readers
223 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
LOL!!!! RIP GitHub
EDIT: trying to compile any projects from source that use git submodules will be interesting. eg ROCm has more than 60 submodules to pull in π
The Go module system pulls dependencies from their sources. This should be interesting.
Even if you host your project on a different provider, many libraries are on github. All those unauthenticated Arch users trying to install Go-based software that pulls dependencies from github.
How does the Rust module system work? How does pip?
Compiling any larger go application would hit this limit almost immediately. For example, podman is written in go and has around 70 dependencies, or about 200 when including transitive dependencies. Not all the depends are hosted on GitHub, but the vast majority are. That means that with a limit of 60 request per hour it would take you 3 hours to build podman on a new machine.
@UnityDevice @sxan it doesn't apply in that particular case since in Go you'll by default download those modules through proxy.golang.org
Oh, that's nice, TIL. But still, there are other projects that do just directly download from GitHub when building, buildroot for example.
@UnityDevice for sure, I was just nitpicking that Go projects in particular happens to be protected, at least as long as Google keeps providing that proxyβ¦
already not looking forward to the next updates on a few systems.
Yeah this could very well kill some package managers. Without some real hard heavy lifting.
scoop relies on git repos to work (scoop.sh - windows package manager)
Rip
For Rust, as I understand, crates.io hosts a copy of the source code. It is possible to specify a Git repository directly as a dependency, but apparently, you cannot do that if you publish to crates.io.
So, it will cause pain for some devs, but the ecosystem at large shouldn't implode.
I should know this, but I think Go's module metadata server also caches, and the compiler(s) looks there first if you don't override it. I remember Drew got pissed at Go because the package server was pounding on sr.ht for version information; I really should look into those details. It Just Worksβ’, so I've never bothered to read up about how I works. A lamentable oversight I'll have to correct with this new rate limit. It might be no issue after all.
I also remember there being a tiny shitstorm when Google started proxying package manager requests through their own servers, maybe two years ago or so. I don't know what happened with that, though, or if it's actually relevant here...