If It Quacks Like a Package Manager

For reasons at $DAYJOB I'm working on a system that would let users submit and run Starlark scripts that take some input data and transform it according to their needs. The scripts are stored on a database and versioned in a simple manner. The other day I was debating whether we should allow scripts to import each other; intuitively, it'd make sense to have a script acting as a "library" that contains functions to deal with common objects that most scripts are expected to be handling.

After some thinking and some discussions I realized that this would eventually turn into a scuffed package manager with no versioning and that we would eventually have to deal with all of the problems described in the post. I went ahead and made load() always return an error, and tomorrow I think I'll be adding a link to this post in the code to hopefully dissuade anybody else from change that. As the gopher says, a little copying is better than a little dependency.

"If your tool has these problems, it’s a package manager, and no amount of calling it a “plugin system” or “marketplace” will stop the supply chain attacks from quacking at your door."

Because I agree, I conclude that you have options for multi-OS, multi-language package managers, and if you can distribute your plugin systems and market places as packages in those ecosystems, you can help to make the world a little less complicated.