Package Manager Design Tradeoffs
17 points by robalex
17 points by robalex
Overall a good summary, but there's a few things I'd put differently.
One version vs many versions retained
More importantly, one version is appropriate for cases where the package manager is used by end users and package curators take responsibility for determining which version is available to end users, while multiple versions are necessary when the user of the package manager is a professional developer who can take responsibility for delivering the software to the end user.
System-wide vs per-project installation
Again, this is a very clear difference in the intended audience. System-wide installation is necessary for end-users but a nightmare for developers who use this to build their own deployments. (See pre-bundler rubygems for an example.) Trying to frame this as two equally-valid solutions to the same problem just confuses things worse.
Maximal selection gives you bug fixes and security patches automatically. You’re running versions closer to what maintainers tested. But you’re always one bad publish away from breakage, and builds change over time as new versions appear. Minimal selection is deterministic without a lockfile since the algorithm itself produces stable results.
This is also an oversimplification; it's possible to get stability and determinism without a lockfile without always choosing the oldest version; you can instead resolve to the version which is closest to the root of the tree. Maven's resolution algorithm does this, and it works great.
Flat vs scoped vs hierarchical namespaces
Maven's namespaces are not hierarchical; they're just two-level rather than one-level. You can't nest one group under another, so it's not a hierarchy; it just looks like one at a superficial glance.
… And sometimes you can take a mix of both sides, if you spend some complexity. Even single-version-only systems usually have some packages with multiple versions available for pinning! Binary distributions vary in how easy it is to opt to build from source instead. And periodic/rolling release is package set design not package manager!