[Bro-Dev] package manager progress

Jan Grashöfer jan.grashoefer at gmail.com
Mon Jul 25 04:53:16 PDT 2016

Amazing work! I really like the package manager and I am looking forward
to contributing a script.

> * Add a way for package’s to define “discoverability metadata”.
> E.g. following the original plan for this would involve putting something like a “tags” field in each package’s pkg.meta file, but the problem with this is the client would need to either download every package to be able to search this data or have a third-party periodically aggregate it.

I think this is a question about who should deal with the extra effort:
On the one hand requiring to spread and sync information between two
places introduces a burden for the contributors, on the other hand
(automatic) aggregation of information makes it harder to maintain a
source including metadata. I am in favor of putting that information
into pkg.meta to make contributing as easy as possible.

One note: I think the documentation should contain a tremendous warning
pointing out that the users are responsible for what they are
installing. One scenario that came instantly to my mind: Someone is
contributing a small and useful script, waits for its distribution and
than updates his repository, adding e.g. a malicious build command. In
that context it would be nice if the package manager would ask the user
before executing the build command. For the official repository also
some automatic checks would be nice (e.g. indicating in case a script
executes shell commands). I think that was discussed before.

All in all I think the package manager design is intuitive and really
easy to use. Having central repositories will be great!


More information about the bro-dev mailing list