Apple’s Swift software development ecosystem is undergoing a big change, restructuring how Swift code packages are created and distributed. This move echoes the same change in the Go ecosystem a few years earlier, and reveals an essential design trade-off at the heart of package management: do we even need packages at all?

What is a package manager?

To answer this, let’s look at a question that every major software ecosystem has to answer: how do we share and reuse software?

In the dark ages of open source, using third-party packages required fishing around on the internet for download sites. This could mean wasting time, using old versions, or borrowing from dead projects. Thankfully, this landscape has changed completely.

Today, developers share packages within the walls of their organizations through private repositories. Massive public repositories like Maven Central or the Python Package Index (PyPI) let developers share their open source software contributions with developers around the world.

What makes all this possible is the humble package manager, a type of utility that lets developers bundle up, describe, publish, and consume software declaratively. Package managers like Maven for Java or npm for JavaScript remove the pain of finding, downloading, and installing packages.

Every package gets a unique name (the so-called “package coordinates”), allowing developers to list which ones they need while the package manager automatically finds and downloads them. By freeing developers from worrying about where to get a package (and all its dependencies), we can now simply declare what we want and get on with the coding.

DevOps teams also benefit from package managers

By caching third-party packages where they enter the organization, DevOps teams can provide their developers with fast, repeatable access to every dependency that an application requires.

In an age of rapidly increasing software supply chain attacks (Read more...)