The review for SE-0272 has concluded. We had a uniformly positive response to the idea of supporting binary dependencies in SwiftPM and the high-level design, but there are a number of concerns that came up during review:
The option for disallowing binary dependencies was broadly considered to not provided enough value to be included. It would also be good to clarify in the proposal that opt-in/opt-out functionality can still be provided by clients of libSwiftPM as a workflow feature.
Storing the checksum in the resolved file was seen redundant by some folks. If a revision choses to omit this, we should instead propose to verify the commit hash that is already stored there to achieve similar results.
Several posts mentioned that the API could be simplified and it would make sense to reduce the complexity here since it isn't needed for the scoped down version of the initial pitch that is being proposed here.
A number of points should be spelled out more concretely in the proposal: verifications of the contents of the artifacts, the concrete layout of the ZIP file and the behaviour if there is no artifact available for the target platform.
Mirror support for this feature should be considered. That should include adding a new command for specifying mirrors for binary artifacts.
Thanks to all for your engagement, and for making this process work. Even when a review goes back for revision, we are still making progress, together, on the evolution of Swift.