[erlang-questions] Erlang package manager
Wed Dec 17 14:25:59 CET 2014
+1 for Michael, especially the following three points.
I suggest you to learn from what FreeBSD Ports (not necessarily "pkg") do.
(See http://www.freshports.org/ )
++> Michael Truog <> [2014-12-16 11:12:38 -0800]:
> 1) It needs to be simple, allowing you to publish a package within less than 1 hour of usage. Good examples are https://hex.pm/ for elixir, https://pypi.python.org/pypi for python, https://rubygems.org/ for ruby, https://www.npmjs.com/ for node.js. Bad examples are http://search.maven.org/ for java, http://www.cpan.org/ for perl. Maven is probably the best example of what is worst, due to the process being as complex as possible and taking as long as possible. The goal of the package manager is not to earn more consulting money (I hope), i.e., consultant-ware.
> 2) It needs to use source code in the packages, not binaries, to make sure everything is transparent, avoiding black-box binary blobs which lack any ability to be examined easily. Past erlang package managers have had trouble here. Along with this, there needs to be signing of the package for the identity of the publisher and the integrity of the package.
> 3) We don't need package dictators which attempt to decide what packages are important, since that just limits the size of the community, making this less of an open source effort (unless that is the goal). You will notice the large open source communities don't need to do this.
More information about the erlang-questions