Package repository
==================

For tracking packages, package backwards compatibility, namespace
collisions, etc, and of course for users to browser packages, it would
be nice to have a package repository.

Package compatibility:
* Detect backwards incompatible changes between versions, and reject
  the newer version from being uploaded.
* Detect multiple packages that implement the same API, but with
  incompatibilities. This would generate a warning only.  

Security features:
* Verify ownership package identifiers (org.example.xxxx)
  Perhaps some kind of validation-text-file-over-HTTPS validation?
  Perhaps github/gitlab/bitbucket/etc. verification through OAuth?
  Possibly offer some kind of DNS validation, e.g. "_slul-repo TXT ..."?
* Push for users to enable 2FA.
* Require signed uploads.
* Endorsed user signatures (web of trust). Maybe just use GPG for this?
* Endorsed package data. I.e. a package's source code can be reviewed
  by another user. That user then uploads a signature of the code.

One could also scan buildfiles recursively to find unverified/unclaimed
modules.

Data to host at a minimum:
* SLUL Buildfiles
* interfaces.slul files
* License files (if non-standard license)
* License additions (e.g. GPL special exceptions)

Data to index, and *maybe* host publicly:
* Source code releases
* GIT repos
It provides a lot of value to have a backup of everything in case of
individual repos / source release files of disappear.
Building and generating SHA-256 sums of the target files would also be cool
(with different architectures, compiler versions and optimization levels).
* Differing versions of dependencies should not matter!
* Optional dependencies do matter, however.
* This is also an intesting way to detect bugs in the compiler :)