mikeal
commented
5 years ago First of all, your work on understanding and categorizing package managers has been AMAZING! I had felt like we lacked a framework for tackling such a large topic but you’ve been able to break down all the elements of package management into something much more understandable and comparable across systems. Great work!
When it comes to mapping these package managers onto IPFS, putting any individual repository on IPFS is relatively easy with git-remote-ipld, again with the restriction of 2MiB files, luckily none of the registry-less package managers support sharing binaries in the same way.
My concern with this method is that we would be translating a reference to a mutable resource (the current remote master) to an immutable one (the state of master at whatever time we run git-remove-ipld).
This is actually a general problem we have with any package manager that doesn’t keep an immutable reference. Most often, the resource is a URL to a tarball. In almost all cases there is a cache reference (git hash, etag, etc) but we’ll want to build a generic method of:
- Looking up a mutable resource.
- Translating it to IPFS/IPLD.
- Storing the IPFS/IPLD reference keyed to the ( immutable resource + cache key).
- Returning the immutable reference to a given client.
IMO, we should always hit this mechanism so that we catch mutations. We don’t want to do the work of converting these resources over and over again to IPFS/IPLD when not necessary but we also can’t cache something for any duration of time if the package manager assumes it’s talking about a live mutable reference.
lanzafame
andrew
jessicaschilling
momack2
A slightly different approach to categorizing package managers than outlined in the Glossary that I've been thinking about with regards to IPFS implementations specifically.
File-system based
This maps closely to the Multi-Registry category.
Many system package managers (APT, apk, RPM pacman, portage), plus some of the older language package managers (Maven, CPAN, CRAN) are literally a network attached folder full of files and other folders, often exposed over http, ftp etc.
Metadata is also stored as files so everything is quite self-contained and easily mirrored using rsync.
This style of registry maps nicely onto IPFS MFS and unixfs, it also seems like most sourcecode and binaries are stored within tar/zip/ar files to preserve any file permissions when downloaded over http, which conveniently means we don't need to wait for unixfs-v2 before implementing things.
Essentially, from IPFS point of view, all of these package managers end up having a very similar API (unixfs) that needs to be implemented, then the clients decide how they want to organise the files and metadata within that top level folder. A number of existing attempts take this approach (arch-mirror, apt-transport-ipfs, Gentoo-distfiles-IPFS)
Database based
This maps closely to the Centralized Registry category.
Many newer language package managers (rubygems, npm, Packagist, PyPI, NuGet, Cargo, bower) run a database-backed web application that handles authentication, uploading, provides APIs for the clients to list packages and versions and other metadata on demand.
Actual package contents is often hosted on s3 and requests to download packages may be proxied through the application to track download statistics, or redirected to a CDN link.
Mirroring these package managers usually requires either trawling package list APIs and recursively downloading packages and their metadata, or, if the registry provides it, downloading a dump of the registries database and running a copy of the web application or a slimmed down alternative that provides a similar API.
Unlike the file-system based package managers, almost every database based registry implements it's own, unique API for querying metadata and publishing packages.
This may explain why there are generally less public mirrors available for Centralized/database-backed package managers as there's a lot more overhead and complexity in keeping a mirror up to date than in the file-system based registries.
The one shared attribute they all share is that clients communicate with registries remotely via https urls, which can be proxied locally and backed by IPFS. A few existing implementations take this approach (npm-on-ipfs, dpip), as well as general purpose artifact stores like Sonatype Nexus and Artifactory.
Git based
This maps to the Portable Registry and the Registry-less categories.
Portable Registries
A number of Portable registries (Homebrew, CocoaPods) use Git (usually GitHub) as a database rather than a traditional centralized database, often as a way to avoid becoming a full time, on-call DBA for their community.
One notable exception is Cargo's main registry, https://crates.io, which has parts of both a portable registry in https://github.com/rust-lang/crates.io-index and central database in https://github.com/rust-lang/crates.io
With Homebrew, PRs can be opened directly on their GitHub repository database to add and update Formula files, which contain the metadata for a package, including links to the source and compiled binaries with integrity hashes.
With CocoaPods, you used to be able to send PRs to their GitHub repository database but after they merged a PR publishing a new version by someone who shouldn't have been able to, they implemented a separate web service called Trunk to handle adding new version to the git database.
Similarly with Crates.io, their GitHub repository database is updated automatically whenever someone publishes a new version via the crates.io website.
In all three of these cases, the end user only ever uses data from the latest commit that they have locally, tags and branches are not utilized and in the case of Cocoapods and Cargo, the history of the repository is not used for previous versions, in fact end users often do a shallow clone (
git clone --depth 1so don't even have history data to go back on.Homebrew only keeps the latest version of a Formula in it's database, but does clone the full repository (243.22 MiB as of February 2019) so users can check out previous revisions of the repository to install old versions of a Formula, although it's not encouraged (Formula cannot declare a particular version of a dependency) because the speed of operations on the large repo are slow.
When it comes to mapping these registries onto IPFS, git is used both as a transport protocol and storage mechanism, git-remote-ipld should be able to help with integration.
There is a restriction that files stored in those repositories can't be larger than 2MiB but it doesn't look like any of those three databases store metadata files larger than a few Kb.
But none of the git repository databases actually contain the code of the releases, usually they have URIs (homebrew can reference SVN, CVS, Git and other protocols, not just http), which are hosted elsewhere, often GitHub, but could be arbitrary.
For IPFS to host both the registry and source code, each one of these remote URIs will need to be referenced either along side an IPFS CID (see https://github.com/protocol/package-managers/issues/12) or loaded via some kind of http proxy extension added to the client.
Registry-less
Some package managers (Go, Carthage, Swiftpm) do away with hosted registries all together, instead preferring to declare dependencies as fully qualified http urls or shortcuts for GitHub urls (owner/repo-name for example).
These package managers often have support for checking to see if the url is a git repository and then querying for git tags as the list of published, named versions, and git commits as a full list of all possible versions (named by git commit sha and/or branch).
The end result is instead of a single registry, these package managers have thousands of single project registries, and rely on APIs in Git and/or GitHub for metadata on releases.
When it comes to mapping these package managers onto IPFS, putting any individual repository on IPFS is relatively easy with git-remote-ipld, again with the restriction of 2MiB files, luckily none of the registry-less package managers support sharing binaries in the same way.
Rather the problem comes when declaring dependencies, which are often simple URIs within source code:
this can be swapped out with an IPFS CID, as seen with gx :
But the original metadata of the package, such as upstream source and version number) is lost.
In addition, this import functionality is baked into the language implementation itself, making changes much more difficult than in external tooling.