[erlang-questions] Rough thought on a P2P package distribution model for Erlang

Wed Sep 14 04:01:35 CEST 2011

In my previous email I said that I thought P2P package distribution 
system would be a good idea. This was due to it elimination the single 
points of failure with relying of the future of websites. There are a 
number of problems with using a P2P module. Chief among these are how to 
get packages into the system and how to know that these packages are 
trust worthy.

With that in mind here's some rough thoughts on a P2P module repository 
for Erlang:

Publisher: the person who maintains the package. Typically, the author 
of the module being published.
Node:       a server which is a member of the P2P module repository system
Indexer:   a person who creates an index of packages that they say meets 
some criteria ie, they vouch for the packages.
Administrator: the person who looks after a node

The process would work something like this,

Some one writes a wonderful module the one everyone has been waiting for.
Either the original author or someone on their behalf packages it up.
The Publisher then makes this publicly available on a website or through 
git/mercurial/etc
The Publisher notifies one or more indexers.
Each Indexers check that the package meets their criteria.
The Indexer then injects the package into the p2p distribution system 
along with an updated signed versioned index file.
This index file lists which packages the Indexer has verified and the 
cryptographic hash for each package.
The Administrators of other nodes select which Indexers they wish to 
follow and keep copies each Indexers public key (obtained out of band).
The Nodes then replicates the index file of each Indexer of interest and 
the packages listed by those index files.
These nodes then make this information available of ftp/http/p2p or 
other means to other nodes and end developers.

Using an Indexer has a couple of advantages:
  1) it eliminates the need for everyone to have certificates. Making 
the system cleaner to use and lowering the barrier to entry of package 
maintainers allow them to easily submit their work without distraction.
2) It maintains a concept similar to existing repositories with which 
people are familiar. This makes it easy for people to bring up and 
maintain additional nodes. It also means that the number of people that 
have to wade though all the packages out there is reduced down to the 
Indexer. You simple select the Indexer who has a package criteria which 
reflects your own.

This is separate what packages are and who Erlang handles dependances. 
This is merely a distribution model.

Excuse the broad description I merely intend this to give people ideas.

Jeff.