Package Managers à la Carte: A Formal Model of Dependency Resolution

TL;DR

This work presents the Package Calculus, a formalism for dependency resolution that unifies the core semantics of diverse package managers and enables translation between distinct package managers and resolution across ecosystems.

Abstract

Package managers are legion. Every programming language and operating system has its own solution, each with subtly different semantics for dependency resolution. This fragmentation prevents multilingual projects from expressing precise dependencies across language ecosystems; it leaves external system and hardware dependencies implicit and unversioned; it obscures security vulnerabilities that lie in the full dependency graph. We present the \textit{Package Calculus}, a formalism for dependency resolution that unifies the core semantics of diverse package managers. Through a series of formal reductions, we show how this core is expressive enough to model the diversity that real-world package managers employ in their dependency expression languages. By using the Package Calculus as the intermediate representation of dependencies, we enable translation between distinct package managers and resolution across ecosystems.

Figures (12)

• Figure 1: An instance of the Package Calculus.
• Figure 2: Conflict Package Calculus $(A, 1) \Gamma (B, \{1, 2\})$ reduced to the core calculus.
• Figure 3: Dependencies exhibiting the 'diamond dependency problem'.
• Figure 4: Concurrent Package Calculus dependencies where $g(x.y.z) = x$.
• Figure 5: Reduction of Figure \ref{['fig:concurrent']} to the core calculus.

Theorems & Definitions (61)

• Definition 3.1.1 : Package
• Definition 3.1.2 : Dependency
• Definition 3.1.3 : Resolution
• Theorem 3.1.4
• proof
• Definition 3.2.1 : Version Ordering
• Definition 3.2.2 : Resolution Ordering
• Definition 3.2.3 : Version Formula
• Definition 3.2.4 : Version Formula Dependency
• Definition 3.2.5 : Version Formula Resolution