Project Ideas DependentCode A Mostly Universal Package Dependency Resolver

DependentCode: a mostly universal Package dependency resolver

To install code, software package management tools need to determine which dependent package of which version to install. Each ecosystem has evolved their own ways to deal with versioning and resolve the dependencies.

Is a unified dependency resolution strategy attainable across all package ecosystems?

The goal of this project is to create a (mostly) universal package dependency resolution tool that should leverage the detected packages and package dependencies from ScanCode as Package URLs (purls) and Version Range (vers) and provide a good enough way to resolve the dependencies "transitive closure" for many system and application package formats.

This would be a way to advance towards a unified software package dependency resolution strategy.

ScanCode can already parse and collect first-level direct dependencies from package manifests present in a codebase. It can also collect resolved dependencies from lock files.

This project would build on this to provide a mostly universal dependency resolution to get all other package transitive dependencies either:

• in a generic way, using its own resolution engine and strategies, possibly using a SAT solver or using simple strategies ( such as latest version, pubgrub, minimum version, etc.)
• or using each package management tool, either reusing the resolvers from ORT or crafting new resolvers wrapping existing package tools.

Goals of project(s) in this space would be to :

• Implement "vers" version ranges collection in ScanCode toolkit. https://github.com/package-url/purl-spec/pull/139
• Update the "univers" library as needed to support new version ranges https://github.com/nexB/univers
• Inventory and document the many different ways dependencies are resolved today across ecosystems such as Maven/Java, RPM, Debian, npm, Rubygems, PyPI, Conda, R, Perl, Go, Dart, Rust, Swift, Eclipse, Conan and PHP. Propose and apply a dependency resolution classification based on the specific semantics of each resolution approaches.
• Design and implement a unified strategy for dependency resolution using purl and vers as inputs.

• Level

  • Advanced

• Tech

  • Python, Go, C/C++, Rust, SAT

• URLS

  • https://github.com/package-url
  • https://github.com/nexB/univers
  • https://github.com/package-url/purl-spec/pull/139
  • https://fosdem.org/2018/schedule/event/purl/
  • https://github.com/heremaps/oss-review-toolkit
  • https://gist.github.com/pombredanne/d3585617882f91d9316be5ce5eddf190

• Mentors

  • @pombredanne https://github.com/pombredanne
  • @TG1999 https://github.com/TG1999