Advanced Package Manager in future

[hernameis]

[This was posted in "Online Package Manager" thread and moved to a separate thread by a moderator]

Hey, nice work, I've only briefly skimmed the 9 pages so sorry if I get something wrong.

There are some nice open source package managers out there where we can take inspiration from:
Node.js - https://github.com/yarnpkg/yarn
PHP - https://github.com/composer/composer
Go - https://github.com/GPMGo/gopm

Here is how I think a good package manager should work (draft done in 5 minutes, so it may have errors and security problems):

0. We must implement good security from the beginning to prevent possible hacks.
1. Everything should be encrypted using TLS (Let's Encrypt provides free certificates)
2. There must a be a server curated by the Lazarus community members where package developers register an account and register their packages' metadata.

Package Developer interactions with the Package Manager
--------------------------
0. The interface should include REST API, GUI and command line interface
1. The developer registers an account on the server
2. The developer generates locally an RSA 4096 or Ed25519 keypair
3. The developer registers his/her public key on the server
4. The developer registers a package by posting a signed JSON file with metadata and and receives the server's signature of JSON+JSON.sig (with this signature he can prove that he owns this package)
5. The developer registers a new version of the package by posting another signed JSON file (which includes version information, dependencies information, download information for the release archive AND its signature, etc.)
6. The server must accept a predefined set of package sources (i.e. GitHub, GitLab, BitBucket, etc. which must allow versioned releases)


Package User interactions with the Package Manager
--------------------------
0. The interface should include REST API, GUI and command line interface
1. The user requests to install "user"'s "package" with some version (defaults to latest version) (example lazpkg install bgrabitmap:bgracontrols:v4.3.1)
2. The package manager connects to our server, gets the user's key and package metadata (no more than 1KB information I think)
3. The package manager downloads the requested "package".tar.gz (which must include the signature from developer's step 4 inside the archive), the "package.tar.gz.sig" (developer's signature of the current release), then the package manager checks all those signatures' validity (the package manager must have our server's public key as a trusted key) and throws error if there is inconsistency
4. Then the package manager installs any required dependencies
5. Then the package manager installs the required package

I can help with backend code, crypto and Linux installation and configuration on a VPS.

[JuhaManninen]

Sorry hernameis, I split your post from the "Online Package Manager" thread.

An online package manager has been discussed over years again and again. Usually the discussion turned into a overwhelming list of features the package manager should support. It has lead to a paralysis as nobody had the courage, skills or time to implement those features.

Now we have an unusual situation when GetMem has actually created a functional package manager.
Let's keep the other thread's focus on GetMem's accomplishment instead of turning it into yet another abstract discussion of a perfect future package manager.

I can help with backend code, crypto and Linux installation and configuration on a VPS.

Thanks! You can either fork GetMem's GitHub repo or create your own repo somewhere.
Let us know when you have more detailed plans or actual  code.