Federated Package Management and the Zooko Triangle
4 months ago
- #package-management
- #decentralization
- #security
- Federation is often proposed as a solution for package registry crises, but faces fundamental constraints.
- Zooko's triangle states naming systems can have at most two of: human-meaningful, decentralized, or secure.
- Package management requires human-meaningful names, forcing a choice between decentralization and security.
- Central registries (like npm) prioritize security by controlling namespaces, but introduce governance bottlenecks.
- Federated registries attempt decentralization but struggle with security, leading to inconsistent package resolution.
- Scoped names (e.g., [email protected]) shift trust to namespace controllers but don't eliminate central authority.
- Go modules use DNS for naming but rely on centralized services (proxy.golang.org) for security.
- FAIR (federated package management) uses cryptographic identities (DIDs) but reintroduces central hubs for usability.
- Human-readable names are essential in code (e.g., require 'express'), making decentralization difficult.
- Federation doesn't solve governance; it distributes decision-making inconsistently across nodes.
- Central registries persist because they provide a single source of truth for package names.