[erlang-questions] more thoughts about package/dependency management

[Tim Watson]

On 4 Jun 2012, at 00:25, Tuncer Ayaz wrote:

> On Mon, Jun 4, 2012 at 12:32 AM, Tim Watson wrote:
>> Hi - sorry for not commenting about this sooner. I agree that it's a
>> solvable problem, as long as someone 'sponsors' the storage
>> somewhere, as well as dealing with the mirroring. Given some kind of
>> mirror network backed by, say, FTP - how are you going to deal with
>> authentication and authorisation? More specifically, when I decide
>> that I want to publish my stuff, how're you proposing that the
>> underlying source determines that I am (1) who I claim to be and (2)
>> have the right to publish/upload this 'stuff'. I am fully aware that
>> various solutions exist to this problem, I'm just wondering how you
>> envisage this being handled in a way that minimises administrative
>> overhead - consider that mine and Eric's initial suggestion about
>> this removes this overhead altogether, as only a repository owner
>> (or authorised committer) can contribute patches and therefore if
>> you trust the account then you trust the content.
> 
> Which sounds somewhat like how distro maintainers work.
> 
>> So how do we do this, and what overhead is there, if any?
>> Admittedly, creating your own .deb packages, signing them and then
>> making your repository accessible over the web isn't rocket science.
>> How about the mirroring thing? Also, the does the index design for
>> these solutions cater for the fact that you possibly have numerous
>> origins publishing the same package/version?
> 
> Valid concerns which we'd have to deal with and an indicator why it
> might be hard to use an existing solution without adapting it.
> 

Indeed.

> I think we're better off planning it right from the beginning and
> coming up with a design that makes it simple to distribute on mirror
> networks.

I completely agree.