Git tracks the history of changes, but in a pm we don't really care about the history, at least not when we are installing. This is the properties that I think we do need.
- security: It must be possible to check the current deps, and know if a single bit has been flipped.
- replication: It must be possible to share that hash, and someone else would do
pm checkout <hash>
and get exactly the same code as you. - determinism: If I install X, Y then Z, and you install Z, then X then Y, we should get the same dep tree. If those deps have deps that need to be shuffeled around, then it should do that and keep it always optimal.
- portability: package management is too hard a problem to roll another one for every language. They all suck, more or less. This should be usable for any language, or things that have dependencies.