Support for federated package registry (entropic) in gemnasium-db
Problem to solve
There is an interesting package registry for JS called entropic that gained quite some traction recently. The project just started a couple of months having already a 5K start rating on GitHub. entropic is an alternative to npm which is facing quite a bit of trouble at the moment. The project was initiated by CJ Silverio (former CTO of npm).
Given that entropic uses a distributed model and the fact that this project was initiated by the former CTO of npm (with the turmoil that npm is facing at the moment), this package manager seems to have some potential to get bigger and may be an interesting candidate to be added to gemnasium-db.
So it may be interesting to observe the development of entropic in the near future.
Intended users
Proposal
entropic is based on a decentralized architecture using (public/private/group/individual) namespaces to manage packages; this implies that you could have different uri's pointing to the same package; moreover the name of the registry can vary as described in the project README.md. These parameters cannot be easily mapped to the schema we use for gemnasium-db. Just in case we decide to include entropic into gemnasium-db, it may be good to have some discussion in which way the gemnasium-db schema would have to be adapted to add support for the more flexible model used by decentralized package managers.
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
More interest from security personas
What is the type of buyer?
Ultimate