The idea is to have a way to distribute libphutil libraries for arcanist in a simpler way than emailing a tar-ball to all users.
The two big use-cases are:
- Get the company's extensions/configuration to all users in an easy way (Without adding them to each repo)
- Distribute 3rd party extensions, just like apt-get/npm/etc.
A more formal list of requirements (Mostly gathered from epriestley's comments around):
- It should support installing arcanist extensions, Phabricator applications, and libphutil libraries.
- i.e., it should handle configuration for phabricator and arcanist
- Maybe it should even support installing third-party stuff like linters.
- Maybe it should even support installing third-party dependencies like Node?
- Packages should be signed by the author, and you should only need to trust the author to trust the package.
- Packages should be able to define dependencies, and it should handle installing them.
- for arcanist, packages may be specified via either by the project (.arcconfig) or by global configuration (.arcrc)
- It should handle running different versions of the same package in different projects.
- Have a way to require/alert users it's time to upgrade a package
- Should not require the phab-marketplace to know about my extension (Because it's internal to my company and has all my secrets).
- Support Linux, Mac OS X, and Windows.
- "List all the things I have loaded/installed"
- Should work in an environment where arc is mounted in a read-only location.
- Organization: Dumping directories next to things won't last very long and will run into issues with everything else here, as well as making it hard for us to do things like "list all the stuff that is installed". We would quickly need to have better rules about where stuff goes.
- Versioning: How do we know something needs to be updated? How do we organize, store, and include multiple versions of a package?
- Dependencies: How do we manage dependencies? How do we deal with cases like "diamond dependencies", where A depends on B and C, and B and C depend on different versions of D?
- Security: How do we make sure that compromised user accounts don't lead to remote code execution on all users' machines? Code signing is probably the solution here, but it's complicated.