[erlang-questions] more thoughts about package/dependency management

Tuncer Ayaz tuncer.ayaz@REDACTED
Mon Jun 4 01:25:45 CEST 2012


On Mon, Jun 4, 2012 at 12:32 AM, Tim Watson wrote:
> Hi - sorry for not commenting about this sooner. I agree that it's a
> solvable problem, as long as someone 'sponsors' the storage
> somewhere, as well as dealing with the mirroring. Given some kind of
> mirror network backed by, say, FTP - how are you going to deal with
> authentication and authorisation? More specifically, when I decide
> that I want to publish my stuff, how're you proposing that the
> underlying source determines that I am (1) who I claim to be and (2)
> have the right to publish/upload this 'stuff'. I am fully aware that
> various solutions exist to this problem, I'm just wondering how you
> envisage this being handled in a way that minimises administrative
> overhead - consider that mine and Eric's initial suggestion about
> this removes this overhead altogether, as only a repository owner
> (or authorised committer) can contribute patches and therefore if
> you trust the account then you trust the content.

Which sounds somewhat like how distro maintainers work.

> So how do we do this, and what overhead is there, if any?
> Admittedly, creating your own .deb packages, signing them and then
> making your repository accessible over the web isn't rocket science.
> How about the mirroring thing? Also, the does the index design for
> these solutions cater for the fact that you possibly have numerous
> origins publishing the same package/version?

Valid concerns which we'd have to deal with and an indicator why it
might be hard to use an existing solution without adapting it.

I think we're better off planning it right from the beginning and
coming up with a design that makes it simple to distribute on mirror
networks.



More information about the erlang-questions mailing list