Why Ethereum Needs Package Management

This post is part two in a multi-part series explaining our vision for package management for the Ethereum ecosystem. In this post we’ll cover why the Ethereum community needs package management and how package management presents unique challenges within a blockchain ecosystem.

What is package management?

Before we talk about why Ethereum package management is unique, we first need to define what package management is — and why it’s important to software engineering.

In some respects, package management is a feature of modern programming. Just as you expect a car to have a driver’s seat and a steering wheel, so do developers expect their development environment to have a package management solution. If you’re a programmer by trade, you’ve definitely heard of popular package managers already: apt-get, rubygems, npm, pip, NuGet — and the list goes on. Even if you’re not a programmer, you’ve definitely interacted with applications that work a lot like package managers, e.g., the Apple App Store and Google Play Store on your mobile phones and smart devices.

On a fundamental level, package management provides two unique features:

1. A simple platform to distribute software applications and libraries to collaborators and users.
2. A mechanism for sharing code — to stand on the shoulders of giants — so community members can build on top of the work of others.

Many package managers and software distribution platforms provide other features, such as pay-to-play access to software that exists on the platform, but in general package management systems provide free and open access to tools, applications and libraries that can help speed up the development of new and innovative applications.

What problem does package management solve?

Developers know this answer by heart, and shudder at the term: copy, and paste. As a developer, without a package management solution you’re destined to copy and paste someone else’s code into your project. This method of injecting dependencies works for a short period, but over time it sets the project up for hairy, brittle upgrades later on in the development lifecycle.

Smart package managers can solve this problem. Through the distribution channel, you can download new versions of packages and upgrade as needed, possibly patching unwanted bugs or gaining new features. Instead of copying and pasting code, project dependencies are now managed for you, always leaving a clear path to upgrade.

Package managers also solve configuration and installation issues. On certain environments like different flavors of Linux, packages are created specifically for that environment so they can be tailored to the operating system the package will run in. On other environments, such as any environment that uses npm, the package manager itself will process commands during installation that configure the package correctly and ensures it installs as necessary.

Package management systems are the closest thing developers get to a one-click dependency management solution, and thus their usefulness can’t be ignored.

So what makes Ethereum different?

In all cases mentioned above, packages are created for a single execution environment: The user’s computer. In Ethereum, however, package managers need to be able to create packages for at least two execution environments, if not more. The first is the user’s computer, and the second is the Ethereum world computer.

The user’s computer, in this case, is responsible for shepherding code that is meant to eventually run on the Ethereum blockchain. However, a robust package management solution needs to support code meant to run on multiple blockchains. What’s more, packages may be built in such a way that they not only expect to be run on a specific blockchain, but they also expect to interact with code that already exists on that blockchain. This presents unique challenges to package management, in that some code may be inextricably linked to the environment in which it will run.

On top of that challenge, Ethereum’s promise as a technology suggests users can trust in the code they’re running. When creating a package management solution, it’s paramount that the code distributed by the package itself can be verified as the same code that’s expected to exist on the desired blockchain. This means a package manager needs to be able to present a clear line of verification for all code it manages. As dependencies grow in number and depth, this verification process quickly grows in complexity, which presents is a new hurdle not undertaken by other package management solutions.

Thankfully, The EthPM Foundation not only created a specification to overcome these unique challenges, but also created two implementations that support that spec, with many more to come.

Why should I care?

If you’re a developer, the upside is obvious: It creates a way for you to build applications quickly and more securely, building on top of the exceptional work by others in the community. But the benefits of package management extend far beyond contract development.

If a package management solution can present a clear line of verified code throughout the whole list of a package’s dependencies, then as a user you know you’re accessing the code you meant to. This presents a great opportunity for user facing applications like MyEtherWallet, EtherScan, and Mist to build interfaces on top of this framework. Instead of interacting with deployed contracts by addresses as currently required, users could interact with published packages via verifiable, user-friendly names. These applications could provide standard interfaces for token launches, for instance, letting users participate with the assurance that they’re interacting with the correct contract on the Ethereum network.

We strongly encourage MyEtherWallet, et. al. to build on top of EthPM, but this integration is just the tip of the iceberg. A strong, verifiable package management solution will bolster our community to create a web of secure code, paving the way for innovations we haven’t even imagined yet.

Awesome. So what’s next?

A lot. There are currently two frameworks that support package management, with more to come. We’re hoping to not only build a community, but a robust standard library of secure, community-contributed contracts. In the next installment in this series, Piper Merriam will talk about all this and more, explaining what’s next for the EthPM Foundation and what you should expect to see in the near future.