[ ] a separate system to scrape and record in immutable form package managers metadata.
do NOT store the package payloads themselves, only what's needed to resolve deps transitively.
[ ] a resolver that is a pure function, being able to later reproduce "what did these dependencies resolve to on this date & time?".
[ ] bonus: be hermetic — include package manager versions and maybe other build tools
[ ] bonus: store precise pointers to source (e.g. git commit) when known.
why? having an immutable layer & a resolver that is a pure function looks like the most sensible design to me, I honestly don't understand how come people build package managers that are not layered like this :-)
could be useful to a lot of things.
5, #8
on a global level, tons of projects involve "mixed manager" deps to actually run, say Dockerfiles that say "apt install foo; pip install bar" without specifying precise versions. if we immutably record ALL the package managers!, we could start from any commit anywhere and reconstruct all deps — and the exact source codes — involved...
why? having an immutable layer & a resolver that is a pure function looks like the most sensible design to me, I honestly don't understand how come people build package managers that are not layered like this :-)
could be useful to a lot of things.
5, #8