- Project Name: Package Manager Research
- Team Name: Chris Troutner
- Payment Address: 0x4fdcEcf844B578d0190AFe267c498B2a0253A084
- Level: 🌱-Seed
The scope of this project is to conduct research into package management systems. The goal is to evaluate the work necessary to create an embedded package registry system within Radicle, similar to the GitHub Packages.
Radicle has done a great job decentralizing the features of GitHub, this grant helps Radicle take another step by decentralizing a package management system. Many programming languages have package registries, the JavaScript npm registry and Docker Hub being two of the most famous. Package registries are where code dependencies are stored and downloaded from. GitHub has decided that creating a package registry to compete with npm, Docker Hub, and other registries is a natural fit for their business. It's also a natural fit for Radicle: in addition to storing code, Radicle could also be used to store and fetch the dependencies needed by that same code.
This grant started from a conversation between Bordumb (Radicle Community) and myself. I founded the Permissionless Software Foundation DAO, and I wrote this research article encouraging other members of the PSF to back up their code to Radicle. I received a retroactive grant as a result of my efforts. The PSF is a consortium of entrepreures and JavaScript developers, and we are painfully aware of how dependent we are on the centralized npm service. Decentralizing our code with Radicle was a natural first step, and now we'd like to take the next step with Radicle by decentralizing npm dependencies.
Building a package reposity that could replace npm is mearly a step down a longer road. If that is accomplished, the package repository could be expanded to additional programming languages. It could even be integrated with operating-system-level package managers like brew and tea, which would allow Radicle to securely distribute binary files.
The scope of this project is not to do any of this work, but to simply research and develop a roadmap. Through discussions with Radicle community devs, we've created a list of several open-ended questions. This grant would pay for the reseach needed to answer these questions, and perhaps build a simple proof-of-concept.
- Chris Troutner
- Contact Name: Chris Troutner
- Contact Email: chris.troutner@gmail.com
- Website: https://FullStack.cash
- Registered Address: 1004 Commercial Ave #458, Anacortes WA 98221
- Registered Legal Entity: Chris Troutner (Sole Proprieter)
- My career in web3 is documented in my GitHub profile
- I wrote this Intro to Radicle article to encourage developers to move off GitHub.
The scope of this project is to conduct up to 100 hours of research and prototyping. This grant will be broken up into phases:
- The first phase is concerned with assessing the feasibility of using Radicle as a package repository, similar to npm or GitHub Packages. Initial research will focus on:
- Generating an npm-compatible package from source code obtained from Radicle.
- Signing packages with Radicle keys.
- Uploading the package to a decentralized hosting site such as Radicle, Filecoin, or Arweave
- Adapting Verdaccio to serve these Radicle packages, and fall back to npm if the package can not be found.
- Once the first phase is complete, a second phase of research may be conducted to evaluate the feasibility of serving binary files from Radicle, and the ability to integrate those packages into operating-system-level package manager such as brew or tea.
In the spirit of Radicle open source, the research will be published in blog-style format, and a final report will summarize the results of the research for posterity. If the research takes less than 100 hours, then funds will be returned to Radicle DAO. There is a good chance that this research will spawn another grant.
- Total Estimated Duration: (up to) 100 hours
- Full-time equivalent (FTE): 12.5 FTE days
- Total Costs: $10,000
- Estimated Duration: 60 hours
- FTE: 7.5 FTE days
- Costs: $6,000
| Number | Deliverable | Specification |
|---|---|---|
| 1. | Package code | Generate an npm-compatible package from source code obtained from Radicle |
| 2. | Package signing | Sign packages with Radicle keys |
| 3. | Package upload | Research best way to upload packages |
| 4. | Verdaccio integration | Research the best way to integrate with Verdaccio |
At the end of the first milestone, we should have a very clear picture of the feasibility for using Radicle as a package repository. Verdaccio is an npm proxy. The goal is to have it preferentially serve packages from Radicle, and then fall back to npm if it can't find the package. In this way, the existing user experience is unchanged, which is good UX. The users can simply 'opt in' to using decentralized infrastructure without changing their workflow at all.
Verdaccio however is not our only option, just the most apparent low-hanging fruit. As new information comes to light during this research, the plan will adapt.
- Estimated Duration: 20 hours
- FTE: 2.5 FTE days
- Costs: $2,000
| Number | Deliverable | Specification |
|---|---|---|
| 1. | Brew & Tea Integration | Research integration with brew and tea |
| 2. | Binary signing & delivery | Research modifications needed to signing and upload for binary files vs npm packages |
After the first milestone is complete, and if there is still budget left, the research will be extended to operating-system-level package managers. This is a 'level up' from code package managers. The goal of this step is to be able to distribute arbitrary binaries, and sign them with Radicle keys, in a format that can be integrated with brew or tea.
- Estimated Duration: 20 hours
- FTE: 2.5 FTE days
- Costs: $2,000
| Number | Deliverable | Specification |
|---|---|---|
| 1. | Final Report | Summarize the research and recommend next steps |
The final deliverable for this grant will be a report. It will summarize the results of the research and recommend paths forward for Radicle. It will discuss the technical trade-offs between the different paths forward.
GitHub Packages provides an excellent blueprint for Radicle to improve upon, in order to implement their own package registry. It is highly likely that this research project will result in a second grant, to build out the repository features into Radicle, including documentation.
As a developer who loves JavaScript and decentralized tech, I'm extremely excited at the possibility to have a decentralized replacement for npm. The developers who are a part of the Permissionless Software Foundation will eagerly dogfood this technology. We work hard to promote censorship-resistent software.