My Plea for Sane Package Management
I've been sitting on this idea for a while, but it came up in a Twitter discussion over the weekend. After thinking more about it, it's time we had a serious discussion about how to get pkg mgmt out of the FWB stage and into a long-term relationship :)
What we've got now (in different ways, with different flaws) across basically all modern languages is something that can work but is plagued with inconsistent data, fragile infrastructure, faulty (or non-existent) dependency solving, availability problems, etc, etc.
Here's what I think we should be aiming for:
1. Allow a single package file, including multiple clauses (or sub-files, whatever) for different languages. Let me manage my Angular front-end and Flask back-end in the same file. A single CLI tool as well - Composer and Bower aren't all that different.
2. Be a trusted broker, with e.g. MD5 checking, virus scanning, some kind of certification/badging/web of trust thing. Let developers know if it's listed, it's been vetted in some way.
3. Allow client-side caching, but also act as a cache/proxy fetch for package retrieval. That way, if Github or source site is down, the Internet doesn't come to a screeching halt. I see the value of Satis, but it's a whole additional tool to solve just one part of this one problem.
4. Server-side dependency solver. Cache the requests and give instant answers for similar requests. All sorts of value-adds in analytics here, made more valuable by crossing language boundaries.
5. Be a more powerful advocate for good semver, as part of the vetting above.
With some standards around data format and API use cases, I see no reason that multiple services couldn't compete for usage in this space.
No comments yet.