blob: 771fe848cf34e7dd85d53dd8efe73f00d8e16919 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
Package repository
==================
For tracking packages, package backwards compatibility, namespace
collisions, etc, and of course for users to browser packages, it would
be nice to have a package repository.
Package compatibility:
* Detect backwards incompatible changes between versions, and reject
the newer version from being uploaded.
* Detect multiple packages that implement the same API, but with
incompatibilities. This would generate a warning only.
Security features:
* Verify ownership package identifiers (org.example.xxxx)
Perhaps some kind of validation-text-file-over-HTTPS validation?
Perhaps github/gitlab/bitbucket/etc. verification through OAuth?
Possibly offer some kind of DNS validation, e.g. "_slul-repo TXT ..."?
* Push for users to enable 2FA.
* Require signed uploads.
* Endorsed user signatures (web of trust). Maybe just use GPG for this?
* Endorsed package data. I.e. a package's source code can be reviewed
by another user. That user then uploads a signature of the code.
One could also scan buildfiles recursively to find unverified/unclaimed
modules.
Data to host at a minimum:
* SLUL Buildfiles
* interfaces.slul files
* License files (if non-standard license)
* License additions (e.g. GPL special exceptions)
Data to index, and *maybe* host publicly:
* Source code releases
* GIT repos
It provides a lot of value to have a backup of everything in case of
individual repos / source release files of disappear.
Building and generating SHA-256 sums of the target files would also be cool
(with different architectures, compiler versions and optimization levels).
* Differing versions of dependencies should not matter!
* Optional dependencies do matter, however.
* This is also an intesting way to detect bugs in the compiler :)
|
