Comment by ambicapter

1 day ago

> Unfortunately, when you’re starting out, the idea of running a registry is a really tough sell. Now, on top of the very hard engineering problem of writing the code and making a world class tool, plus the social one of getting it adopted, I need to worry about funding and maintaining something that serves potentially a world of traffic? The git solution is intoxicating through this lense.

So you need a decentralized database? Those exist (or you can make your own, if you're feeling ambitious), probably ones that scale in different ways than git does.

5 comments

ambicapter

Reply
dboon  1 day ago

Please share. I’m interested in anything that’s roughly as simple as implementing a centralized registry, is easily inspected by users (preferably with no external tooling), and is very fast.

It’s really important that someone is able to search for the manifest one of their dependencies uses for when stuff doesn’t work out of the box. That should be as simple as possible.

I’m all ears, though! Would love to find something as simple and good as a git registry but decentralized

  • jopsen  19 hours ago

    You don't need fully distributed database, do you?

    You could just make a registry hosted as plain HTTP, with everything signed. And a special file that contains a list of mirrors.

    Clients request the mirror list and the signed hash of the last entry in the Merkel tree. Then they go talk to a random mirror.

    Maybe, you central service requires user sign-in for publishing and reading, while mirrors can't publish, but mirrors don't require sign-in.

    Obviously, you'd have to validate that mirrors are up and populated. But that's it.

    You can start by self hosting a mirror.

    One could go with signing schemes inspired by: https://theupdateframework.io/

    Or one could omit signing all together, so long as you have a Merkel tree with hashes for all publishing events. And the latest hash entry is always fetched from your server along with the mirror list.

    Having all publishing go through a single service is probably desirable. You'll eventually need to do moderation, etc. And hosting your service or a mirror becomes a legal nightmare if there is not moderation.

    Disclaimer: opinions are my own.

  • yawaramin  12 hours ago

    Package registry in an SQLite database, snapshotted daily. Stored in a cloud bucket. New clients download the latest snapshot, existing clients stream in the updates using eg Litestream. Resolving dependencies should now be ultra fast thanks to indexes.