APM stands for Aragon Package Manager. You can read more about it if you don't know what it is. The summary is that APM is a decentralized package manager. APM handles the upgreadability of smart contracts as well as arbitrary data blobs.

Usually, in a standard package manager, you have something like this:

centralized

There are two main problems with that architecture:

  • The server is a single point of failure. It can cheat on you (and grab you malicious software), or it can be shut down (and deny you access to the software)
  • The maintainer, or anyone that takes control of their account or access token, can just push malicious software

APM's architecture is much more advanced, and enables:

  • Decentralized storage: Packages' data can be stored in platforms like IPFS or Swarm. They offer integrity and easy redundancy by default
  • Rich governance over package upgrades: You could include governance processes like democracy, liquid democracy and even futarchy as part of the approval process for an upgrade
  • On-chain incentivization: You can create cryptoeconomics systems that reward those who help, and disincentivize attackers

apm

But centralized package managers can already guarantee integrity!

Yes, they can. In the Linux community, package managers are very advanced and fairly decentralized. You have servers that host the registries, and others that host the actual data.

When you download a package, package managers check the name and hash of the package in the registry servers, and then download the actual package in one of the mirrors.

Unfortunately, this is still a very centralized model. It only takes the registry server, one mirror, and bad luck to surpass all security measures.

But centralized package managers already have peer review!

Peer review works great if:

  • You are installing open source software
  • You compile it on your machine
  • People are peer reviewing to make sure it's not malicious

I'm all against proprietary and closed-source software, so I don't care so much about the first one.
But I'm not expecting every single user to compile their software locally. That's bad user experience, hard, and takes a lot of computing power.

I don't also expect peer review to always work. It may work for packages that are very popular, but even with that, reviewers may:

  • Just be humans and miss something
  • Be bribed
  • Be a puppet identity to seem like review is happening
  • Not care, since they aren't always incentivized

There are real world examples how things can go wrong with a centralized model, especially when the package manager maintainer can arbitrarily change ownership of packages.

In this one case, an open source programmer had their package name ownership transferred to another entity by NPM. After threats of legal action and the ownership transferred, the person decided to take action. He decided to remove all the modules created by them from NPM. Deleting the open source code they had published, led to long-reaching consequences. You can read more about this incident on How one programmer broke the internet by deleting a tiny piece of code.

There's also this example where a popular module got compromised. An attacker was able to hijack the account of a module maintainer. Without having a proper governance solution for upgrading packages, malicious content got published. This post-mortem explains the eslint-scope security incident.

These are just some examples of where a centralized model of a package manager can fail. Nothing too shocking or major hasn't happened, yet.

APM to the rescue!

We will analyze a possible way to create a community-curated package manager. It is opinionated, and its cryptoeconomics haven't been tested.

Deploying APM

You can deploy your own APM registry. Let's call ours community.decentralizedpm.eth.

Set up an Aragon DAO

Create a DAO, which can be done in a minute!

Mint tokens for your community members

Use the Token Manager app inside Aragon Core to mint tokens for your entire community. You can airdrop tokens to them, or just have some way for them to claim the tokens.

Let community members choose registry maintainers

Conduct a vote so the community chooses the registry maintainers.
Registry maintainers will be in charge of choosing repository maintainers. They have to make sure that the registry works. This entails adding or removing repo maintainers.

Registry maintainers need to keep a stake, that can be slashed by community voting. That stake can depend on how critical the registry and its security are.

Repository maintainers

Repo maintainers approve or deny upgrades to packages.

Repo maintainers also need to keep an economic stake. Registry maintainers can slash it if:

  • The repo maintainer stops upgrading the package
  • The repo maintainer introduces malicious software

Call for package managers

A decentralized Android package manager

Android is a great and very open platform. But, unfortunately, Google has permeated it so much that it isn't as open as it seems. If you don't use Google Play Services, you are basically excluded.

There are alternatives, but only a few people use them. Incentives built into app stores make it very hard for an open-source and decentralized app store to thrive. You can build a decentralized package manager that works on Android, and rewards developers and maintainers. Since no one would be sold ads and tracked, users would pay a monthly subscription in exchange for security and privacy.

A decentralized NPM

We all know NPM has issues. From malicious software to downtimes (in which the whole dev community is paused, basically).

You can build a decentralized NPM, curated for developers, by developers.

Other ideas?

We haven't even started exploring the possibilities of community-curated, incentivized package managers. If you have some other ideas, jump into the Aragon community chat or the Aragon research forum!


Subscribe to the Aragon Project blog

Subscribe to the Aragon One blog

Come chat with us at the Aragon Chat

Follow Aragon One on Twitter

Subscribe to the Aragon subreddit

Follow Aragon One at LinkedIn

Contribute to Aragon at GitHub

Subscribe to Aragon Monthly Newsletter

Explore the Aragon Wiki

Browse job openings at Aragon


This post was a collaboration between

Luis Cuende, Aragon One

  • Luis Cuende

    Luis Cuende

    Co-founder of Aragon and CEO of Aragon One. Advisor to a few crypto projects that awake my curiosity

    More posts by Luis Cuende.

    Luis Cuende
  • Aragon One

    Aragon One

    Aragon One is a for-profit company that encompasses the foundational team working on the Aragon project. The company is currently established in Switzerland, although we want it to function as a DAO

    More posts by Aragon One.

    Aragon One