andrew
commented
5 years ago I also wrote my first bit of rust code to contribute support for installing specific versions: https://github.com/wasmerio/wapm-cli/pull/65
Open andrew opened 5 years ago
andrew
commented
5 years ago I also wrote my first bit of rust code to contribute support for installing specific versions: https://github.com/wasmerio/wapm-cli/pull/65
andrew
commented
5 years ago Opened up an issue on their repo to track IPFS integration: https://github.com/wasmerio/wapm-cli/issues/78
Only announced yesterday, wapm is a very new package manager for wasm.
The client is open source but the registry is not (yet), so I had a dig around to see what I could find.
There's also a number of sources of packages published to github by the creators: https://github.com/wapm-packages/
Use case: wapm is a binary package manager, it only handles the wasm binaries, manifest metadata and a readme, the apparent use case is to distribute applications that are ready to be used after download and in should run everywhere that https://wasmer.io/ works without needing platform specific binaries.
Namespacing: all packages published to the wapm.io registry are added under the users namespace, "andrew/foobar" for example, although there are a few packages that don't follow that rule: https://wapm.io/package/lua
Manifest: both manifest and lockfile are TOML files (+1 for non-turing complete)
Dependencies: When declaring dependencies in
wapm.tomlyou must specify an exact version, no apparent support for semver ranges. There aren't any packages published that declare a dependency at the moment so it's a little hard to test what/how dependencies are used for given that the wasm packages are already compiled before uploading, but as mentioned on HN, wasm supports dynamic linking so perhaps it means that? I also tested to see if you can include multiple versions of the same dependency in a manifest and you cannot at a top level due to the TOML parser, although there's no documentation that says if you could have two different versions at different levels of a dependency tree.graphql: The client talks to the registry with graphql: http://registry.wapm.io/graphql, which is the first registry I've seen that uses graphql. It could certainly help to reduce the chatty nature of resolving dependency trees over http. One other thing that being graphql implies is that to run a mirror that the client talks to you'll need an application server that also speaks graphql
tarballs: the actual packages are downloaded as tarballs and include three files, no source code:
integrity: at the moment there doesn't appear to be any integrity checking or data, like a sha256 of the package contents. There's also no obvious support for repeatable builds, which would be very useful given the security implications of running binaries where you can't be sure exactly what they were built from. You can reference a repository in your wapm.toml file so it's possible to follow that to build the source of the original and confirm it.
multi-registry: currently wapm appears to work much like a centralized, database-based, the client does let you specify a different registry to talk to but at the moment dependencies assume they all come from the same registry and namespace
How can IPFS help?