[Accepted with Modifications] SE-0292: Package Registry Service

Hi folks,

The 3rd review of SE-0292 has concluded. The review has been generally quiet with feedback focused on making the OpenAPI spec more robust to explicitly highlight the support for redirecting proxies which have been one of the focus points of the 2nd review. As such, the proposal has been accepted with a few minor revisions:

  1. More clearly state in the proposal motivation or future directions sections that package registry is designed to address the immutability and durability concerns in light of cases like How an irate developer briefly broke JavaScript - The Verge
  2. Refine "A client SHOULD verify the integrity of a downloaded source archive" to "A client MUST verify the integrity of a downloaded source archive"
  3. Include the checksum of the source archive in the Package release metadata, and/or refine OpenAPI spec to make it clear it should include Digest and Content-Length headers.
  4. Make the support for redirecting proxies more explicit by explicitly listing 30x response code in the OpenAPI spec.

The proposal and its approval mark an important step forward in the evolution of the Swift package ecosystem. The proposal went through a long review cycle and reflects important feedback from many members of the community. I would like to thank everyone who participated in the review and the proposal authors for their patience and hard work getting this proposal over the finish line.

Tom Doron,
Review Manager

18 Likes

Just noticed that the entry for this on the Swift Evolution web site is still listed as being under active review.

1 Like

thanks, addressed

Did any work on binary packages end up being done as part of this proposal? I saw there was a note under "Future directions" so I'm assuming not.

I'm doing research right now on archiving binary libraries and doing security related dependency audits using tools like Artifactory. Artifactory doesn't have any support for SPM today but I'm just gathering the current state for stakeholders.

We have some sensitivities around source distribution. So while the work around Github is interesting, we're looking at the future directions of this proposal. Has any work been started or are there any new proposals being worked on?

Terms of Service

Privacy Policy

Cookie Policy