Using Go in anger for a few years has made me realise just how much a good package management solution adds to an ecosystem, and just how difficult a bad one makes life.
Maybe we will finally get some protocol standardization in package distribution.<p>If you think about it it's kind of crazy that we are reinventing the wheel with every language, OS, game store, extension marketplace etc.<p>A lot of Linux enthusiasts get lost in the idea that there should be one and only one package manager. But actually it's more that there should be a standard protocol for package discovery, distribution and updating; and package managers can just be an interface to those.
Great, I have a message about py, -m, --user, shiv and nuitka that I've been repeating for years but really need to reach a broader audience. That's going to be a great talk to give, and 20 minutes is the perfect format for it.<p>Python packaging would be way less painful if people had been given those key informations. Not painless mind you, but from missing a leg to balls itching.
Client implementations typically need to be deeply integrated with the host PL/OS but I think we can create a shared package registry with a protocol that sits on top of IPFS.<p>A single tool for publishing to the registry would push the package to IPFS, get the returned CID (hash of the package) and store the hash with some package meta data in a blockchain. Storing the hash in a blockchain would provide confidence the package has not been tampered with assuming no 51% attack and that client implementations always verify the hash against the package bytes. By making the hash immutable and linked to the content address of the package we have more confidence in the integrity of our packages.<p>Then we add an HTTPS bridge so that client implementations can easily migrate to consuming packages via this new distributed registry.<p>I am exploring this now so if anyone is interested in this kind of distributed language-agnostic package registry drop me a line at muji [at] tmpfs.org.