We regularly encounter upstream that don’t follow best release practices and mutate them over time. We share this problem between nixpkgs and all the other package managers.
Here are some examples from the top of my head (please do not go an annoy them):
- Fixed download URLs. Eg: beeper
- Git history rewriting. Eg: https://github.com/c-koi/gmic-qt
- Re-releasing projects in place
This is not necessarily something that the NixOS project should handle, but we might want to be able to provide guidance and tooling towards that problem. Ideally, something that can be shared with the other package managers.
We need two things:
a. A short manifesto that explains the problem and recommends solutions. This can be used to communicate with upstream projects.
b. An infrastructure that snapshots releases. This will be used to maintain stable historical archives.
For (a), are you aware of something that exists like that?
For (b), we have Software Heritage that partially solves the issue for (2), but not for (1) as they only connect to forges (AFAIK). It might require creating a new GitHub org, and then some tool for automation and snapshot transparency log.
I think it would be worth solving this problem once and for all. For now, I’m collecting ideas, and then we can create a group of interested people.