i want to quote @Jon_Shier on the similar thread because i think it is a reasonable assessment based on the amount of movement we’ve seen in the past few years:
of course, i would love to be proven wrong, and it wouldn’t be the first time either. (variadic generics, finally!) but unlike the story of variadic generics, where many people insisted for a long time that it was important to them and they fully intended to get around to it someday, and what do you know, they actually did get around to it today… we’ve never really gotten any communication along the lines of “a package registry is important to us and we are going to build one eventually.”
instead we only hear “a package registry would solve a lot of problems (that people currently blame on SPM)” and that it would be really great if we had one.
in my personal opinion, the likelihood of a package registry emerging from the community is very low. the problem is not engineering (@daveverwer and @finestructure have demonstrated that it is possible to index swift packages on an ecosystem-wide scale), the problem is that a package registry is simply not a viable business.
a package registry is a fundamentally money-losing enterprise, like vaccine development. they store, index, and serve large amounts of data to client-side tooling (as opposed to displaying it to users directly) which means there is no opportunity to build pagerank, serve ads, or promote other services, in fact, ideally, the end user does not even know the registry exists, as SPM should abstract this detail away. and that is why we only see swift package registries today in paid ecosystems (e.g. artifactory).
it might help to do some case study into the business model of package registries in other languages.
-
crates.io (rust) is socialized. it is exclusively operated by their central language org (the Rust Foundation), which pays for its upkeep.
-
CocoaPods (swift/objc) is a consortium project. several large corporations pooled resources to build infrastructure they are the primary beneficiaries of.
-
RubyGems (ruby) is a public-private partnership. their central language org foots part of the bill and several large corporations that use ruby form the rest of the consortium. so it is essentially like CocoaPods except their government also behaves like an additional corporate sponsor.
-
PyPI (python) started out like crates.io and was gradually privatized, and today it is structured a lot like RubyGems.
-
NPM (javascript) is a gestalt project exclusively operated by Microsoft. the company is large enough that they can rationalize a return on their investment as “paying themselves”, both literally (it runs on their cloud platform) and figuratively (cultivating developers, “growing the pie”, blah blah blah).
there are no examples i am aware of, of a self-sustaining package registry.