Swift Package Manager needs its own Nuget

ShikiSuen · April 13, 2026, 1:35pm

I saw this PR today which made me worried:

github.com/swiftlang/swift-package-manager

feat: Source Archives and shallow clones (#9870)

main ← ordo-one:source-archive-download

opened 08:52AM - 01 Apr 26 UTC

vsarunas

+6739 -38

Download source archives from GitHub instead of performing full git clones for s…emantic version ranged dependencies. Sub-PRs: 1. https://github.com/swiftlang/swift-package-manager/pull/9909 2. https://github.com/swiftlang/swift-package-manager/pull/9910 3. https://github.com/swiftlang/swift-package-manager/pull/9911 4. https://github.com/swiftlang/swift-package-manager/pull/9912 ### Motivation: SPM currently clones the full git history (`git clone --mirror`) for every dependency. For projects with many dependencies, this results in long resolution times and large `.build/` directories due to pulling full version history. This PR takes a different approach that sidesteps git cloning entirely for the common case: downloading ZIP source archives directly from GitHub CDN. This PR provides typically 2x faster resolves and 3x smaller disk footprint for GitHub based repos. See the [forum post](https://forums.swift.org/t/swiftpm-2x-faster-resolves-3x-smaller-disk-footprint/85750) for extended motivation, benchmarks methodology, and edge case discussion. ### Modifications: Opt-in via `--experimental-source-archive-downloads` or `SWIFTPM_USE_SOURCE_ARCHIVES=1`. **Fetch strategy:** | Dependency type | Fetch method | |---|---| | Semver version, supported host, no submodules | ZIP archive download | | Semver version, supported host, has submodules | Shallow clone (`--depth 1 --recurse-submodules`) | | Branch or revision pin | Standard git clone | | SSH URL or unsupported host | Standard git clone | | Any failure in archive/shallow path | Fallback to standard git clone | **How it works:** 1. `git ls-remote --tags` - discover versions (same as today, zero API quota) 5. HTTP GET `Package.swift` from `raw.githubusercontent.com` - check tools-version compatibility 6. HEAD probes for manifest variants (`Package@swift-X.Y.swift`) - only 0.9% of packages use these 7. HTTP GET `.gitmodules` - determines ZIP vs shallow clone 8. Download ZIP archive or `git clone --depth 1 --recurse-submodules` 9. On any failure - fallback to `git clone --mirror`, per-dependency All metadata cached permanently by commit SHA. Downloads go through a two-tier cache (shared global - workspace-local) and are prefetched in parallel. The existing git path reads manifests by forking `git ls-tree` + `git cat-file` subprocesses per version against the local bare mirror - sequential process forks that add up during resolution. The source archive path replaces these with HTTP GETs to CDN endpoints, avoiding per-version process fork overhead and enabling concurrent manifest fetching. **Extensibility:** Host-specific behavior is behind the `SourceArchiveProvider` protocol - two methods (`archiveURL(for:)` and `rawFileURL(for:sha:)`) plus a `cacheKey`. Adding GitLab or Bitbucket support means implementing one type conforming to this protocol. **Authentication:** Private repos work if HTTPS auth is configured. The `GitHubTokenAuthorizationProvider` wraps SPM's existing `AuthorizationProvider` (netrc, keychain, credential helpers) and falls back to `GITHUB_TOKEN` / `GH_TOKEN` environment variables for GitHub hosts (`github.com`, `raw.githubusercontent.com`, `codeload.github.com`). SSH-only repos are detected early via a validation probe and fall back to git. **Cache directory structure:** ``` .build/ source-archives/{identity}/{version}/ <- extracted source tree shallow-clones/{identity}/ <- shallow clone with submodules ~/.cache/org.swift.swiftpm/ source-archives/ downloads/{identity}/{version}/ <- shared extracted source (not ZIP) metadata/{owner}/{repo}/{sha}/ <- manifest + submodule flag (immutable by SHA) metadata.json Package.swift Package@swift-6.0.swift <- variant, if found shallow-clones/{identity}/{version}/ <- shared shallow clones ``` ZIP is deleted after extraction. Cache hits are directory copies. `swift package purge-cache` clears all new cache directories. **Key design decisions:** - **Tags not SHAs for archive URLs** - GitHub generates different ZIP bytes for `/zip/{sha}` vs `/zip/refs/tags/{tag}` even for the same commit. The file contents are identical, but the top-level directory name differs (e.g., `swift-log-1.6.3` vs `swift-log-3d8596ed08bd13520157f0355e35caed215ffbfa`), which changes the ZIP entry headers and thus the checksum. Using tags consistently avoids spurious TOFU checksum mismatches. - **`codeload.github.com` directly** - avoids the 302 redirect from `github.com/.../archive/...` that crashes Foundation's `URLSession` on Linux (`_HTTPURLProtocol.configureEasyHandle` fails during `didCompleteRedirectCallback` in `libFoundationNetworking.so`). - **Annotated tag peeling** - `git ls-remote` returns both the tag object SHA and the dereferenced commit SHA (`^{}`); parser prefers the peeled SHA. - **Validation probe on container creation** - fetches tools version for 3 recent versions to detect HTTPS issues early (e.g., `insteadOf` rewrites, SSH-only auth). - **`Package.resolved` unchanged** - revision SHAs from `git ls-remote` are identical to git checkout. - **ZIP determinism** - GitHub does not guarantee byte-stable archives forever. In January 2023, a Git upgrade changed the compression library used by `git archive`, silently altering checksums for every repository - identical source, different bytes. It was [rolled back](https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/) after breaking Bazel, Homebrew, and Nix, and GitHub now [commits to](https://github.blog/open-source/git/update-on-the-future-stability-of-source-code-archives-and-hashes/) at least one year of stability with six months' notice before changes. If it happens again, TOFU checksums stored on one machine become invalid. The fix is `swift package purge-cache` to accept new checksums. A future central registry would eliminate this entirely by serving its own immutable archives. **Test coverage:** **68 tests** | **87.6% line coverage (1,280/1,461)** | File | Coverage | Lines | |------|----------|-------| | `Basics/SourceArchiveMetadataCache.swift` | **100.0%** | 65/65 | | `Basics/SourceArchiveProvider.swift` | **100.0%** | 3/3 | | `Workspace/SourceArchiveDownloader.swift` | **99.4%** | 162/163 | | `Basics/SourceArchiveResolver.swift` | **93.3%** | 222/238 | | `Workspace/PackageContainer/SourceArchivePackageContainer.swift` | **93.3%** | 377/404 | | `Basics/GitHubSourceArchiveProvider.swift` | **90.1%** | 73/81 | | `Workspace/Workspace+SourceArchives.swift` | **74.6%** | 378/507 | <details> <summary>What's not covered</summary> **`Workspace+SourceArchives.swift` (74.6%)** - largest gap: - `removeSourceArchive` / `removeShallowClone` - cleanup paths - Shallow clone with shared cache path (copy-from-cache and copy-to-cache branches) - `prefetchSourceArchives` - the full prefetch loop including cancellation handling - `canUseSourceArchive` guard checks - `downloadSourceArchive` - the real download-and-extract path using `SourceArchiveDownloader` (vs the mock path tested in integration tests) **`SourceArchiveResolver.swift` (93.3%)**: - `defaultGitTagsProvider` - the real `git ls-remote` fallback (tests inject a mock provider) - Some defensive guards in tag parsing (empty SHA, non-hex SHA, non-`refs/tags/` prefixes) - `probeManifestVariant` when no candidates exist **`SourceArchivePackageContainer.swift` (93.3%)**: - `shouldInvalidatePinnedVersions`, `description` - trivial properties - `isToolsVersionCompatible` - async compatibility check - Tag preference logic when a new tag has more dot-components than an existing one - `prefetchManifestContents` early-return when all SHAs are cached - Git container fallback for revision/unversioned queries **`GitHubSourceArchiveProvider.swift` (90.1%)**: - `archiveURL` / `rawFileURL` - the real URL construction (tests use the protocol, not GitHub-specific URLs) - `preconditionFailure` branches for malformed URLs - Empty owner/repo guard in `parseGitHubURL` </details> ### Result: Zero changes to `Package.swift`, `Package.resolved`, or any public API. When enabled: **Cold resolve** (all caches wiped), 10 runs across Mac ARM + Linux x86: | Project | Deps | Archives p50 | Git p50 | Faster | |---|---|---|---|---| | spi-server | 67 | 68s | 100s | **25-40%** | | swiftpm-large-project | 48 | 46s | 93s | **50-55%** | | penny-bot | 47 | 44s | 78s | **40-47%** | | container | 29 | 26s | 42s | **34-43%** | `.build/` disk: **1.4-3.2x smaller** across all tested projects.

Here are my thoughts below. (Machine translated from zh-Hans; I manually reviewed the texts.)

Strongly negative on the direction proposed in this PR, despite understanding the GOOD intention behind it.

Conclusion upfront: Swift needs a first-party, ecosystem-neutral package hosting solution (akin to NuGet), rather than further deepening coupling with any single third-party platform.

Concerns

Over-reliance on GitHub as infrastructure

Swift Package Manager already has a de facto dependency on GitHub, since a large portion of packages are hosted there. This PR appears to further institutionalize that dependency at the tooling level.

From an ecosystem design perspective, this introduces a structural risk:
- A single platform becomes a critical dependency for package discovery and distribution
- Availability, access policy, or regional connectivity issues directly impact Swift development workflows
- It weakens the long-term portability of the ecosystem
Global accessibility and reliability

In some regions, access to GitHub is unstable or degraded. While this may not be a primary concern for all contributors, it does affect real-world usability of SPM at scale.

Tooling decisions should ideally avoid hard dependencies on infrastructure that is not universally reliable.
Ecosystem neutrality

A language-level package manager should remain platform-agnostic. Tight coupling with a specific hosting provider (even implicitly) creates:
- Perception of vendor lock-in
- Reduced incentive for alternative registries or mirrors
- Barriers for organizations with internal or self-hosted infrastructure

Suggested Direction

Instead of reinforcing GitHub-centric workflows, I would strongly encourage exploring:

An official Swift package registry ecosystem (similar in spirit to NuGet)
First-class support for multiple registries and mirrors
Clear separation between package identity and hosting location

This would:

Improve resilience and global accessibility
Encourage a healthier, more decentralized ecosystem
Align Swift with the direction taken by other modern language ecosystems

Final Note

The intention behind improving usability is appreciated. However, the current direction may solve short-term friction at the cost of long-term ecosystem robustness.

I would recommend reconsidering the approach from a more infrastructure-neutral standpoint.

dschaefer2 · April 13, 2026, 3:09pm

Thanks @ShikiSuen! I appreciate your words here.

Better mirroring support is one of the main areas we need to look at for SwiftPM. We know a lot of teams that have internal git mirrors of packages on GitHub, mainly for supply chain security and to ensure availability. Those teams may not benefit from a performance enhancement that is specific to GitHub APIs. I also see teams reaching for internal package registries as a performance solution. And that’s why we continue to support package registries today.

As you mention, SwiftPM does need a better way to declare that a package with a given identity is hosted at multiple locations and the user needs a good way to specify the priority order of those locations so SwiftPM can make the right choice depending on the circumstances.

I think this PR that speeds up packages stored GitHub is a good thing for a lot of users. We just need to make sure we keep the architecture clean as more and more of these solutions come about so that we can work them into a better mirroring solution and potentially other fundamental features we may add to packages over time, like a better way to do binary artifacts or integrate non-package source archives and external build systems, or whatever else we can dream up to make Swift Packages better :).

ShikiSuen · April 13, 2026, 3:21pm

Hi, Doug. Thanks for the thoughtful reply. I really appreciate you taking the time to address my concerns.

I completely agree that better mirroring support is one of the highest-priority areas for SwiftPM. Your point about teams already using internal Git mirrors (for supply-chain security and availability) and the need for a clean way to declare that the same package identity can be hosted at multiple locations — with user-specified priority — is exactly the direction I was hoping for.

To make that concrete, I’d love to see a future feature that lets users configure their own URL-replacement map (original URL → mirror URL). This would allow SPM to automatically rewrite repository URLs at resolution time, including for transitive dependencies.

A practical real-world example: GitHub access is often unstable or very slow from within Mainland China. Domestic mirrors like Gitee and AtomGit already host many popular Swift packages (and SPM’s SHA verification keeps this safe), but the internal dependencies of those packages frequently still point back to GitHub. The result is that Xcode can hang for hours during dependency resolution.

A configurable mirror map would solve exactly this kind of scenario without requiring changes to every upstream Package.swift.

Again, thank you for the reply and for confirming that mirroring is already on the roadmap. Looking forward to seeing how this evolves.

(This reply is translated using Grok to make the English reading experience more-comfortable. I post-reviewed this translation result.)

dschaefer2 · April 13, 2026, 3:33pm

We do have that capability today using swift package config set-mirror. It is a simple URL rewrite and will actually work with binary artifacts in upcoming releases too. However it doesn’t work if you’re trying to mirror to a package registry.

ShikiSuen · April 13, 2026, 4:20pm

Thanks for these intel. It helps a lot. I have 2 questions:

You mentioned upcoming releases. Is this Swift 6.4?
I can’t understand what is mirror to a package registry. Is package registry something different than a package URL?

Sarunas · April 13, 2026, 4:25pm

Over-reliance on GitHub as infrastructure

GitHub is already relied on; this simply gives another endpoint to GitHub.
Support for GitLab and BitBucket can easily be added. Nothing is being taken away.

Global accessibility and reliability

I doubt that a small team can do a better global availability and reliability.

Ecosystem neutrality

It does remain agnostic; if a GitHub HTTP URL is detected, instead of cloning a full repository, a smaller tarball will be fetched; swift-nio download will become 2MB instead of 80MB; won't this make your Xcode downloads much faster and more stable?

An official Swift package registry ecosystem (similar in spirit to NuGet)

There needs to be a team to manage this, someone needs to pay for bandwidth costs, someone needs to ensure that the code hosted is correct and not-compromised and replaced from the source to what is being served out.

Neither https://proxy.golang.org/ nor https://crates.io/ host Git, they serve only source tarballs.

wes1 · April 13, 2026, 4:43pm

Where there’s a long-standing need that’s long-neglected, there are typically structural reasons.

It’s easy to elaborate features that would be good for Swift open-source developers in this regard, but who can sustainably satisfy the high level of trust and engineering required to deliver and maintain, and why would they?

The people behind the PR have contributed a well-founded, well-engineered tweak to current practice that adds measurable benefits, but no extra downsides (assuming the added complexity doesn’t get tripped up). How would holding up this PR help with the structural problem?

dschaefer2 · April 13, 2026, 4:51pm

The mirrors functionality has been there for a long time. It’s coming to binary artifacts in a cherry-pick I just pushed in for the next 6.3 release.

In a sense, package registries are a mirror at given versions of a package. They actually end up being new package identities so aren’t handled by the mirrors file. It would be nice to have a common solution that handles both.

snej · April 14, 2026, 3:48pm

Git itself supports lightweight clones that don’t include the full history. I’m no guru so I can’t rattle off how to do it; but I’ve used this in the past to clone [subdirectories of] LLVM cheaply. Couldn’t this proposal use that feature instead of a GitHub-specific download API? (Or at least as an alternative when the repo isn’t hosted by GitHub?)

dschaefer2 · April 14, 2026, 8:06pm

The current git clone is done for version resolution so we know what versions we have and we can look at each version’s package manifest so we can see what each one depends on. Based on which version that package resolves to we then do a shallow clone into the scratch path from the clone in the SwiftPM cache.

A package registry or the currently proposed use of the Github APIs is intended to speed that up by providing alternative means of finding the versions and fetching the manifests and avoid the full clone and only fetch the resolved version’s source archive.

Git was a great way to launch the Swift ecosystem and has really paid off. Now that we have so many complex packages with lots of dependencies, we are seeing a lot of contributors working on different ways to speed things up. That’s great to see.