Dependencies and package managers

Explicitly declare and isolate dependencies

Never rely on implicit existence of system-wide packages


Managing dependencies is about managing trust. Decentralised package hosting is not supported using most package managers. Packages may became abandoned over time, but the key issue is security. The purpose of a centralised system is to guarantee security.

Centralised services propose an obvious risk. The question in which organisation we put our trust and what can we do to mitigate the risk.

Source code vs binary

Backing up dependencies is a way to manage this. We have two options here: save artifacts (binaries) or save the source code.

Embedded firmware: Build from scratch

Embedded firmware: Build OS from scratch but pull packages from a feed

App development: OS level package managers

App development: Application level package managers



Monorepos and Polyrepos




Monorepo involves mostly challenges around scaling the organization in a single repo. Polyrepo involves mostly challenges with coordination.


Splitting one repo is easier than combining multiple repos.

Combine polyrepos with a package manager

Specify all system component versions in a repository as code.

Combine polyrepos with a repo management tool

man repo

Updated 02 January 2023