
Show HN: WAPM – Package Manager for WebAssembly - syrusakbary
https://wapm.io/?hn
======
JeremyBanks
I like Wasmer, but I very much dislike the idea of another major package
repository being owned and operated by a commercial entity. They seem like
good people doing valuable work now, but that doesn't tell us very much about
who the company will be in five or ten years.

I've grown uncomfortable with NPM being operated by NPM Inc instead of The
Node.js Foundation, but it's a hard thing to change once it's established. We
should hesitate to support the establishment of another community package
manager by a for-profit company.

~~~
syrusakbary
I completely understand your concerns, especially given the issues that NPM
had lately. We are an open-source focused company and our success is tightly
tied to the success of our open-source solutions.

Here are some of the things that we are doing in order to resolve (or
minimize) the concerns:

* Completely open API to retrieve the registry data (it's a work in progress, but our GraphQL API is open to everyone to use: [https://registry.wapm.io/graphql](https://registry.wapm.io/graphql) )

* De-centralized hosting of the packages (news to come soon!)

~~~
yuvipanda
Thanks! This is a good start.

Do you have ideas on how you will make the _governance_ of the registry open?
Who will make important decisions around policies, and how will they be made?
I personally find this to be the core reason I find it hard to use startup-run
package registries.

~~~
syrusakbary
We are starting to research on governance, but to date nothing is defined
(since we have just launched).

However, I would love to follow up with you personally to make sure we make
the right choices from the start. Can you write me an email to syrus@wasmer.io
so we continue the conversation there?

------
catern
Why a new package manager? Why not port an existing well-designed generic
package manager such as Nix?

Making a new package manager is very expensive in terms of developer times -
developers have to learn yet another new thing to use your platform. Can you
justify this?

Edit: For example, as matthewbauer commented below, Nix can support
WebAssembly as a compilation target:
[https://github.com/NixOS/nixpkgs/pull/56555](https://github.com/NixOS/nixpkgs/pull/56555)

~~~
Godel_unicode
Which general purpose package manager works correctly on Windows (not WSL,
actual Windows) and Linux? Cross-platform is more important than not creating
another package manager.

I think a far more interesting question is, does the package repository
support falling back to e.g. curl. That would allow those who don't want
another package manager to still use the registry.

~~~
catern
You should distinguish between "can run on Windows" and "can manage Windows
software as packages". Most package managers could probably run fine on
Windows; at worst they could use cygwin or, indeed, WSL. Managing Windows
software is much harder, but isn't necessary: This is a package manager for
WebAssembly packages, not Windows packages or Linux packages.

And anyway, wasmer itself doesn't even support Windows.

~~~
Godel_unicode
If you run on Windows by using e.g. cygwin, you don't run on Windows. See
previous statement about WSL.

> wasmer itself doesn't even support Windows

First, it will:
[https://github.com/wasmerio/wasmer/issues/51#issuecomment-44...](https://github.com/wasmerio/wasmer/issues/51#issuecomment-446426021)

Second, I write code that doesn't run on my terminal all the time, but I need
the packages I'm using to be installed and versioned correctly.

~~~
skybrian
Well, obviously both WSL and Cygwin run on Windows (and nowhere else), so,
rhetoric aside, could you explain why they are they insufficient for your
purposes?

~~~
lifthrasiir
When one says that some _development tool_ has to run in Windows, it is meant
to be run by Windows _developers_ , who normally do not use WSL nor Cygwin.

------
moosingin3space
I love WebAssembly/WASI, but I'm concerned about us repeating the mistakes of
the past.

How does the dependency model work? Can I safely install parallel streams of
software? Does it support unprivileged installation? Is the installation
stateless (no scriptlets/lifecycle scripts)?

~~~
MuffinFlavored
> Is the installation stateless (no scriptlets/lifecycle scripts)?

I feel like the reason `npm`/the node.js ecosystem has these is because... as
soon as you want to do anything serious, you need them.

How else do you build native modules across different platforms, run initial
post-installation configuration scripts, etc.?

~~~
moosingin3space
> How else do you build native modules

It is my understanding that wasmer is trying to create a new ecosystem that
doesn't rely on native modules.

> run initial post-installation configuration scripts

It's been my experience, as a long-time Linux user, that this is actually a
bad thing. Stateless systems are far easier to work with -- a package manager
can be far faster and simpler if it just extracts an archive. I can't think of
a single case where post-installation configuration scripts couldn't be
replaced by something simpler, using the filesystem.

~~~
orf
Downloading a dependent native library from an official source, based on the
current OS version.

~~~
moosingin3space
Could this not be done though the dependency system itself, if it were
sufficiently generic?

------
whyrusleeping
Are all the 'packages' here reproducible? I'd love to be able to run something
like `wapm verify <package>`, or `wapm verify --all`. Running arbitrary code
from random people on my computer is sketchy even when I can look at the code.
Its far more sketchy when I can't.

~~~
syrusakbary
We are working on supporting signed packages to assure they can't be tampered
with. At the same time WebAssembly provides some nice sandboxing capabilities
and we are working to add permissions on top of syscalls, so packages will not
do what they are not suppose to do.

Reproducible builds are definitely something great, but they are quite tricky.
However we are very open to hear more thoughts on how to do it!

~~~
whyrusleeping
Signed packages are useful, but still don't solve the problem.

One fairly simple thing you can do to improve this would be to include build
scripts as part of the package, and allow people to run those build scripts
through wapm. The exact versions of any involved tools will need to be
recorded too, but since there arent too many ways to generate wasm blobs yet,
this shouldnt be too out there.

Eventually it would be great if everyone had fully reproducible build formulae
(kinda like
[https://github.com/polydawn/repeatr](https://github.com/polydawn/repeatr)).

~~~
est31
Yeah, instructions onto how to build the package would be highly valuable.
Environments where binaries are very backwards compatible (which itself is a
good thing!) lend themselves to discarding abilities about how to build
something. You could quickly land in a situation where you need to recompile
some particular binary for some reason but figuring out how to compile it is
really hard. Like how Microsoft fixed a vulnerability in an Office program by
changing the binary instead of the source code.

IMO any open source centric repository should have developers upload the
source code instead of binaries so that the repository can compile it
themselves to give binaries or source code to users. At the start they could
use docker where the docker file is part of the uploaded artifacts, and later
they could use WASI based toolchains directly, e.g. clang compiled to wasm or
rustc compiled to wasm.

This "developers upload binary artifacts, source code is an afterthought" idea
of npm rubs me wrongly.

~~~
catern
Yes, definitely source+build instructions should be uploaded rather than
binaries.

You can still support proprietary software by just uploading the binaries as
source (and maybe doing some build-process to adapt it to the packaging
format)

~~~
est31
Definitely, proprietary software should be supported. You could either let
developers upload the binary directly, or just not offer sources to download
for users, optionally deleting them after they have been built.

Debian has developed an amazing set of standards for software repositories
which I think should be applied universally to all package management
ecosystems that want to have open source at their core.

E.g. they require that the source code has to be actual source code, aka
"preferred form of modification" and not something minified. They also have
separate repositories for proprietary and DFSG-free software, allowing users
to choose whether they want to use proprietary software or not. Also, they run
their builds without internet access, so the source code (as well as the
dependencies tracked by the system) is actually everything needed.

------
matthewbauer
I'm working on Nixpkgs support for WASI cross compilation here:

[https://github.com/NixOS/nixpkgs/pull/56555](https://github.com/NixOS/nixpkgs/pull/56555)

------
bayesian_horse
The documentation such as it is, doesn't even tell me what this is supposed to
do (or at least not after a superficial look). Is it for using web assembly
binaries on a command line? Or in the browser? Integration with webpack or the
like?

There is a link on how to install from source, pointing to github, but the
link is dead and the organization has no repositories...

At the moment, there is not enough momentum behind individual web assembly
packages, as in "many people wanting to include the same wasm binaries". If at
some point there are runtimes for like C#, Java, Python etc which people agree
on, they might try and use a CDN approach, such that users visiting multiple
websites don't need to download everything at every site.

~~~
sitapati
It's a Java/.NET/JS-style VM target. So you can distribute your app with a
single binary download, instead of different ones for different Operating
Systems.

------
rcfox
Do wasm modules depend on one another? I assumed they were statically linked.

It feels like this is more of a wasm "app store".

~~~
mintplant
WASM dynamic linking: [https://webassembly.org/docs/dynamic-
linking/](https://webassembly.org/docs/dynamic-linking/)

I don't think WAPM has any particular support for this (yet?), though.

------
syrusakbary
Hi HN! We have also published an article to showcase wapm:
[https://medium.com/wasmer/announcing-wapm-the-webassembly-
pa...](https://medium.com/wasmer/announcing-wapm-the-webassembly-package-
manager-18d52fae0eea)

Would love to hear your thoughts!

~~~
phillmv
Hello,

1\. Package managers are very hard! The same problems wrt dependency
resolution pop up again and again. Whatever you do, I recommend uhm, copying
whatever Yehuda et al did for Ruby, Rust, Yarn, i.e. bundler/cargo/yarn

There's lots of prior art out there, and a few days of reading can save you
months of terrible effort! Here's one example but there's loads more out there
[https://yehudakatz.com/2016/10/11/im-excited-to-work-on-
yarn...](https://yehudakatz.com/2016/10/11/im-excited-to-work-on-yarn-the-new-
js-package-manager-2/)

2\. Namely, I don't see any lock files! I didn't look very hard. But get
yourself some lockfiles. I also can't stress this enough.

3\. Packaging signing really needs to be baked in from the get go, re:
[https://news.ycombinator.com/item?id=19733085](https://news.ycombinator.com/item?id=19733085)).

Good luck!

------
sitapati
You guys are missing the forest for the trees. This is truly revolutionary.

[https://dev.to/jwulf/i-can-t-believe-it-s-
webassembly-308c](https://dev.to/jwulf/i-can-t-believe-it-s-webassembly-308c)

~~~
intertextuality
Then submit that to HN, showcasing what wapm can really do.

Instead, people here are _rightly_ cynical. I do not want another private
company managing something as fundamental as a package registry.

I want them to answer my question about how they are actually going to fund
themselves. Especially with the dubious decision to pay for office space in
San Francisco.

~~~
sitapati
Done!

I'd fund it through VC investment. It's a market/mind share play aka hosting a
community.

~~~
intertextuality
Fault on me for wording it that way.

1) How are you going to earn a _profit_? Like what is your revenue stream
going to be, etc? Not funding.

2) Why do you need an office in downtown San Francisco? Why not work remotely?

------
localhostdotdev
anyway, sounds really cool and hoping it gets inspired by things like
bundler/homebrew more than npm/yarn.

btw it has "telemetry" enabled by default.

edit: thanks for the link, didn't find the source previously

~~~
syrusakbary
The CLI is open-source: [https://github.com/wasmerio/wapm-
cli](https://github.com/wasmerio/wapm-cli)

We are also planning to open-source the registry as well :)

~~~
justinclift
Ahhh cool. The GitHub link on the bottom of the page just goes to this empty
GitHub repo:

[https://github.com/wapmio](https://github.com/wapmio)

So I initially thought it was all closed source. Maybe add more GitHub repo
links, so people can find the right stuff? :)

------
dmix
It'd be cool to see what language the parent library was written in, so you
could explore them similar to Github's language based browse feature.

Although I guess the whole point, as far as the end user is concerned, is it
doesn't matter what language it was written in. But it's still very relevant
to people using them as libraries.

------
ilaksh
I brought up some similar ideas more than three years ago.
[https://github.com/WebAssembly/design/issues/320](https://github.com/WebAssembly/design/issues/320)

In case anyone is interested in any of that discussion.

------
Illniyar
So this is a package manager like yum or apt-get, not like npm.

Seems reasonable, I guess, though the power of wasm is that it can be run
without install, like a webpage. We'll see if this catches on.

~~~
tokyodude
does that mean everything installs globallu by default. if there is one thing
I love about npm it's that it's local by default and global is the exception.

------
v_lisivka
Is it possible to integrate wapm with web browser as plugin, so web site will
be able to request up-to date wasm packages from local store instead of
downloading of their own copies?

------
fiatjaf
How do I use that?

------
sureaboutthis
And so it begins. The building of "tools for tools". The inability of people
to work with the fundamentals. A device in search of a problem.

