How Do Application-Level Package Managers Work?

This is an excerpt from Out of the Wild: A Beginner’s Guide to Package and Dependency Management, a Sonatype Guide. This is the second of three installments. Read the first one here.

We’ve established that managing dependencies is a complex task. But as Sam Boyer explains in his Medium article, “It’s not the algorithmic side that makes [application-level package managers] hard.”

“Their final outputs are phase zero of a compiler or interpreter, and while the specifics of that vary from language to language, each still presents a well-defined target. As with many problems in computing, the challenge is figuring out how to present those machine requirements in a way that fits well with human mental models.”

Take the Apache Maven application-level package manager as an example. It’s “primary goal is to allow a developer to comprehend the complete state of a development effort in the shortest period of time” by focusing on “making the build process easy” and “providing quality project information.” In fact, the term Maven itself comes from the Yiddish word meaning “accumulator of knowledge,” which is based on their Project Object Model, or POM file. (More on this later.)

That’s just one application-level package manager’s take on their high-level role in modern software development, but let’s continue down this path for a minute and talk about what application-level package managers (in general) have in common.

We’re simplifying a bit, but below are the key components used by most application dependency managers. It’s the interplay—and forward “movement”—of the elements listed below that makes for an effective dependency management system.

Project code

This one’s easy. First you have your source code that’s being actively developed; that is, the project you want the application-level package manager to manage dependencies for. This is usually (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ember DeBoer. Read the original post at: