Git tracks the history of changes, but in a pm we don't really care about the history, at least not when we are installing. This is the properties that I think we do need.
- security: It must be possible to check the current deps, and know if a single bit has been flipped.
- replication: It must be possible to share that hash, and someone else would do
pm checkout <hash>
and get exactly the same code as you. - determinism: If I install X, Y then Z, and you install Z, then X then Y, we should get the same dep tree. If those deps have deps that need to be shuffeled around, then it should do that and keep it always optimal.
- portability: package management is too hard a problem to roll another one for every language. They all suck, more or less. This should be usable for any language, or things that have dependencies.
- conflicts: the best thing about npm is that it allows two modules to depend on different versions of another module. This generally makes development easier. but sometimes there is a global module that there can only be one of (framework, type definition, etc) also, some languages only support singly-versioned modules. Also, sometimes you might want to resolve a flat tree to optimize file sizes.
- speed. it must be fast. if an install takes too long, I get distracted.
These are the properties that I think we need. There are also other areas, like, how are module names assigned, and who can update what, that could also be improved, but those things are not as computer-sciency and it's not as objective.