Git tracks the history of changes, but in a pm we don't really care about the history, at least not when we are installing. This is the properties that I think we do need.
- security: It must be possible to check the current deps, and know if a single bit has been flipped.
- replication: It must be possible to share that hash, and someone else would do
pm checkout <hash>
and get exactly the same code as you. - determinism: If I install X, Y then Z, and you install Z, then X then Y, we should get the same dep tree. If those deps have deps that need to be shuffeled around, then it should do that and keep it always optimal.
- portability: package management is too hard a problem to roll another one for every language. They all suck, more or less. This should be usable for any language, or things that have dependencies.
- conflicts: the best thing about npm is that it allows two modules to depend on different versions of another module. This generally makes development easier. but sometimes there is a global module that there can only be one of (framework, type definition, etc) also, some languages only support singly-versioned modules. Also, sometimes you might want to resolve a flat tree to optimize file sizes.
- speed. it must be fast. if an install takes too long, I get distracted.
And comments on actual points above:
All sounds pretty reasonable / non-controversial.