First time posting so I hope this is the right place: I’d like to propose exposing the registry packages as signed exchanges. Signed exchange bundles have some advantages over the current .tar.gz format:
- They can hopefully soon be used directly on the web.
- They have a proper index allowing to load individual files from the archive without unpacking.
- Each file comes with meta data like content-type which can reduce the reliance on file extensions to guess behavior.
- Since exchanges are individually signed, deduplication across registries / proxies is safe and doesn’t require trusting intermediaries.