Re: Emacs Package Management

[Thomas Lord <lord@emf.net>]

Tom Tromey wrote:
> There was a discussion a while ago on this list.  RMS wanted to
> restrict the available packages to those which had been assigned to
> the FSF, but I did not agree with that.
>   

Please consider making the package system such that packages are
signed and users consciously pick and choose among authorities (i.e.,
which package signatures to trust).

To an extent, that makes the problem harder:  a key management
system has to be part of the package system if "average" users are
expected to be able to use it.

On the other hand, it creates an economic market  -- especially if
you keep that in mind while designing the package system.   That is,
a new possible commercial service (entirely free-software friendly)
is to let people subscribe to a source of trusted emacs packages.
Providers of this service can differentiate and compete in lots of ways.
I think a worthy goal is to design a package system that helps
such a market flourish.

Firefox has a feature that illustrates a nice and relevant paradigm:
It frequently "calls home" to find out if a new upgrade has been
published and then automates the process of installing upgrades.
Emacs and the possible marketplace for emacs package providers
could benefit from a similar infrastructure.   It is hard to get right,
of course:  very easy to introduce vulnerabilities through design or
coding mistakes.   Nevertheless, if it *is* gotten right, it helps to create
that marketplace.

In other threads about DOS and Windows support, people were
talking about the ideal of never having to earn a living in the proprietary
software world.   It seems to me that the most direct way to make that
possible is to collectively concentrate on software systems that create
markets for free software developer talent (by virtue of the architecture
of those systems).

Package systems are exactly the right place to hack markets to create
free software jobs.  RHAT and Canonical both discovered this a ways
back.  An industry standard here, a really solid one, would crank up 
competition
and generally "lubricate" the free software economy (by lowering the
barrier to entering the market as a package-by-subscription provider while
still preserving the opportunity for package providers to differentiate and
add value between upstream and the user).   It is not something that those
companies are likely to be eager for until it becomes inevitable.   
Therefore
it might well be a good strategic investment for volunteers.

One final technical note:   In designing the package system it is
desirable not only to allow competing package provider services,
but also (reflecting the reality of software development) to afford
composing providers into "pipelines".   That is, the package system
should model the concept of an upstream developer giving code to
downstream service providers who in turn give code (possibly patched)
to end users.   An end-user package download transaction should be able
to report the "heritage" of the package to that level.   The reason for
this is to create the possibility of a market for "royalties" paid to 
upstream
developers -- that is, to create a funding pipeline for free software R&D.


-t