A proposal for Ox
Created by: ticki
Proposal for the
ox package manager (Redox)
This is a proposal for the ox package manager for redox.
Ox shall be modular, simple and decentralised. Ox shall both be capable of compiling from source and installing binaries directly. Futhermore, Ox shall be secure.
How Ox works
Ox works over HTTP(S) protocole. Ox is consisting of two types of data sources:
- Package hosts
In this context, a repository (or repo for short) is a place storing various information about packages. These includes:
- Where the package can be downloaded (package host)
- What the hashes of the binaries and the source are.
- The hash of the package's public key (which is owned by the package developer). This ensures that the user will be able to securely get the latest version without worrying about the security of the connection/provider.
There is not one central repository. The user adds repositories, he or she trusts. The repository X (name) from Y (host) can be found in http(s)://ox.[Y]/X.oxr.
This is recommended to be over a HTTPS connection, however this is not required (although a warning is given if not).
This file is of the format:
[name of the package]:[version]:[description of the package]:[hash of the binary]:[hash of the source code]:[hash of the developers public key] [name of the package]:[version]:[description of the package]:[hash of the binary]:[hash of the source code]:[hash of the developers public key] [name of the package]:[version]:[description of the package]:[hash of the binary]:[hash of the source code]:[hash of the developers public key] ...
The package X of version V from Y can be found in
http(s)://ox.[*Y*]/[*V*]-[*X*].oxp. This is a file of the format
name=[name] author=[author] description=[description] version=[version] bin=[path to binary] source=[path to source] compile=[path to compile script] publickey=[public key of the developer] signature=[digital signature of the files] files=[files provided in the package] dependencies=[list of packages this package depends on (includes versions)]
The hash of the binary/source is checked, of course (using the hash from the repositories). So is the signature.
If the version is set to
_ the latest version of the package
is returned. To make sure that this package is safe, the signature
is checked (using the signature in the repository). If no developer
signature is found in the repository a warning is returned.
Installation is done via downloading the binary and running it while
tracking the files it creates. These are stored together with the
files parameter given by the package host. These are used if the
user wants to uninstall the package.
ox get [package]
[package] using the binary. If multiple packages named
[package] are found in the repositories, the user is asked to
choose the package.
ox get -c [package]
Installs [package] from the source.
ox remove [package]
Remove [package] including files that it has created.
ox add [repository name and host]
Add a new repository.
Cleans up all orphaned packages.
Updates the repositories.
Install all new upgraded packages.
Unresolved questions, TODOs etc.
Lots of things. For example:
- How will
oxmanage multiple versions of the same package?
- In what language will compile scripts be written?