CJ Silverio former chief technical officer of NPM Inc., introduced a new package repository called Entropic, which is being developed as a distributed alternative to NPM, not controlled by a specific company.
The Entropic code It is written in JavaScript and is distributed under the Apache 2.0 license. The project is only one month in development and is in the early prototype stage, but it already supports basic operations such as connecting, publishing, and installing packages.
About Entropic
The reason for the creation of Entropic is the complete dependency on the JavaScript / Node.js ecosystem from NPM Inc, which controls the development of the package manager and maintenance of the NPM repository.
This for his part stemmed from the recent succession of layoffs and changes in management at NPM Inc and his preferences with investors that created a sense of uncertainty regarding the future of NPM and a lack of confidence that the company will defend the interests of the community, rather than investors.
According to Silverio, the business of NPM In cannot be trusted.c., since the community has neither voice nor vote taken into account for actions taken.
And he fears that the company's actions are not aligned with the interests of the JavaScript community because it has to focus on profitability first.
Highly sought after features like package signing are likely not going to be developed because they won't make money, he said.
In addition, doubts the company shows any interest in reducing customer interactions with its backend because every network interaction generates potentially valuable data.
Silverio also doubts that NPM Inc is interested in optimizing the interaction with its backend, as this will lead to a decrease in data flows that are potentially interesting from a monetization point of view.
Every time you run the "npm audit" command, the contents of the package lock file, which includes a lot of interesting information about what the developer does, is delivered to the outside.
In response, several prominent members of the JavaScript / Node.js community have started developing alternatives that are not controlled by individual companies.
How does Entropic work?
The Entropic system uses the principle of a federated network, in which a developer can deploy a server with a repository of the packages used by it and connect it to a common distributed network linking isolated private repositories.
Entropic implies the coexistence of many repositories, interaction with which it is carried out within the framework of the normal workflow.
All packages are separated using namespaces and include information about the host where your main repository is located.
The namespace is essentially the name of the owner of a package or a group of maintainers who are eligible to issue updates.
In general, the package address looks like "namespace@repohost.com/pkg-name". The metadata and dependency information are defined in the TOML format.
In case of placing a package linked by dependencies of other repositories in the local repository, these packages are duplicated in the local repository.
Therefore, the local repository becomes self-sufficient and includes copies of all necessary dependencies.
There is an intermediate layer to interact with the classic NPM repository, which is treated as a single accessible file. This includes installing packages from NPM using the locally deployed Entropic environment.
For administration, a command line toolkit is provided which simplifies the deployment of repositories on your local network.
Entropic offers a new file-oriented API and storage system that minimizes the amount of data downloaded over the network.
Entropic is presented as a universal system that can be used to create repositories for packages in any programming language, but, nevertheless, Entropic is designed with an eye on JavaScript and is best suited for projects in this language.
Interesting how communities prevail over the interests of a company. I do not know about Node, but I wonder if this universal system could be applied in updating operating systems, other programs or only as far as Node and JS refer?
On the other hand, I also have the doubt that it happens when you have libraries or dependencies of a different or higher version than those of a package that it contains in its repository. The highest is kept, you work with 2 different versions or will there be a conflict?
Obviously, this community knows what it is doing and my question is more focused on understanding how these developers solve a problem of this type, than questioning their work, which will surely be of excellent quality.
Thank you!