They do, but these are likely CI builds. These builds run on containers/vms spawned from scratch for each commit, they build, validate, publish (if a release) and then self destroy.
It is a good way to avoid any possible cross contamination between builds for security and reproducibility.
Caching here, without compromises, can be quite complex depending on the underlying system, and might require a custom build script for CI, that is often undesirable, because ideally the CI build should follow the same path as a manual build whenever possible, so it can also catch bugs in the build script itself.
The people complaining about this are the hosts of Maven Central (Java's npm), and they caused this themselves by pushing for Java build centralization. You can configure a project to use any Maven repository in Java, but it is so inconvenient and looks so suspicious or hard to verify that everyone ended up publishing to Maven Central, going through all the annoying hoops they put in place. Somehow they did not consider that they would have to host the entire world?
I think we need a nostr alternative: metadata signed and curated on nostr, payloads hosted on the dev own servers.
They do, but these are likely CI builds. These builds run on containers/vms spawned from scratch for each commit, they build, validate, publish (if a release) and then self destroy.
It is a good way to avoid any possible cross contamination between builds for security and reproducibility.
Caching here, without compromises, can be quite complex depending on the underlying system, and might require a custom build script for CI, that is often undesirable, because ideally the CI build should follow the same path as a manual build whenever possible, so it can also catch bugs in the build script itself.
The people complaining about this are the hosts of Maven Central (Java's npm), and they caused this themselves by pushing for Java build centralization. You can configure a project to use any Maven repository in Java, but it is so inconvenient and looks so suspicious or hard to verify that everyone ended up publishing to Maven Central, going through all the annoying hoops they put in place. Somehow they did not consider that they would have to host the entire world?
I think we need a nostr alternative: metadata signed and curated on nostr, payloads hosted on the dev own servers.