What governments and funders could do
Suggestions for policy and for funding
6 Matching Annotations
- Last 7 days
-
nesbitt.io nesbitt.io
-
-
The gap between these columns is where standardization would reduce switching costs. Not building a European deps.dev, but defining a common dependency graph API. Not building a European Dependabot, but standardizing how dependency updates get proposed. A protocol for package management could let different implementations compete on the same interfaces. GitHub and GitLab bundle dependency features into their platforms: dependency graphs, vulnerability alerts, automated updates. A self-hosted Forgejo or Gitea instance doesn’t have equivalent tooling. But if those features were built on open standards and open data sources, switching forges wouldn’t mean losing supply chain visibility. The dependency intelligence could come from any provider that implements the same interfaces, rather than being locked to the forge vendor. Some gaps need new standards rather than adoption of existing ones. There’s no good specification for package version history across registries. Codemeta describes a package at a point in time, not its release history. PkgFed proposes using ActivityPub to federate release announcements, similar to how ForgeFed handles forge events.
This points to where standards can reduce friction. a common dependency graph API standard for proposing dependency update protocol for package management dependency features based on open standards / open data so that dependency intelligence is not a lock-in element.
New standards need for package version history across registries. Mentions PkgFed en Forgefed vgl [[PkgFed ActivityPub for Package Releases]]
-
Other areas don’t, which keeps switching costs high. Dependency graph APIs vary by platform, vulnerability scanning integration is proprietary per forge, Dependabot and Renovate each have their own config format, and package metadata APIs differ across registries.
Areas that do not have (de facto) standards, meaning high switching costs: dependency graph APIs vulnerability scanning integration package metadata APIs are all different.
-
some areas have formal specifications. PURL provides a standardized way to reference packages across ecosystems. OSV and OpenVEX let advisory data flow between systems. CycloneDX and SPDX handle SBOMs. SLSA, in-toto, and TUF cover provenance. OCI standardizes container images.
Formal standards exist for some areas only. Mentions Purl for references to packages OSV OpenVEX for advisory data flows Cyclone DX and SPDX for SBOMs, SLSA in-toto, TUF on provenance OCI for container images. How many of these are indeed formal standards? Does he mean documented ?
- [ ] return to search if these are formal standards, and by which standards body, plus links
-
Eaves’s commodification argument depends on standards to reduce switching costs. In the package management landscape, some de facto standards have emerged. Git is nearly universal for source hosting. Semver is the dominant versioning scheme, even if ecosystems interpret it differently. Lockfile formats vary by ecosystem, but they’ve become standards in practice: every dependency scanning company builds the same set of parsers to extract dependency information from all of them. Syft, bibliothecary, gemnasium, osv-scalibr, and others all parse the same formats. I made a dataset covering manifest and lockfile examples across ecosystems, and a similar collection of OpenAPI schemas for registry APIs. These are what made git-pkgs come together quickly.
In package management there are a range of de facto standard modes of operation. These are not formal standards, just emerged in practice.
-
-
nesbitt.io nesbitt.ioAbout1
-
I’m Andrew Nesbitt. I’ve spent the last decade thinking about package management.
Andrew Nesbitt is a specialist in package management. Runs ecosyste.ms, open API and data that tracks packages, repo's and dependencies to see ecosystem health.
-