No it isn't. Please tell me how you achieve security without storing hashes in a DB? The default is only for those who'd prefer not to run their own DB. You are welcome to run your own DB if you want.

Why are you so upset that other people will be using a feature you obviously won't? Why are you upset when this leaks literally no info that your github repo doesn't already?

256 byte hash x 10000 packages x 10 package versions = 25mb

That's a conservative estimate, and if you try to sync only what's needed you're no better off then not-syncing.

Yeah, I've got 25 megs of disk space.

If you try syncing the whole thing incrementally (rsync style) all you leak is the frequency of your updates

> I bet

Care to maybe check real quick before making bets?

In the default configuration, the checksum database currently has 657 level-0 tiles. The raw log data associated with each level-0 tile seems to be about 50KB. You could store the entire current checksum database log in about 30 MiB. You could store the level-0 hash tiles in 5 MiB.

This makes sense right? Cargo, the rust package manager, does replicate the entire package index using git and it is ~250 MiB (~150MiB in .git/) (The cargo index stores much more metadata in a more verbose JSON format). It seems like a very reasonable bet considering prior art.

Is there any meaningful difference between what google knows about your modules and what npm knows about js modules? Or what a Debian mirror operator knows about your packages?

I get that Google changed the way go packages work, but I don't understand the difference between that and literally every package manager in existence.