Distributed repository for software packages using blockchain

Abstract

A package repository is an essential piece of a software ecosystem where packages and interdependencies are published together with security updates. In free and open-source software, the software repositories are frequently hosted and maintained using donations or contributions in the form of computational power or financial aid. The technical solution adopted to absorb the computational power donation limits on its design, prohibiting small donors from participating with their contributions. The lack of contributions directly implies limiting repository functionalities. This work proposes a package repository using Blockchain evaluated through real-world simulations and statistics. The Blockchain described has its consensus algorithm crafted to befit the purpose of a package repository without financial appeal. The consensus algorithm relies on a forger party where peers are semi-randomly selected using a protocol to agree on the forger node. Also, the proposed Blockchain keeps a compatible layer with the traditional repositories, easing its adoption. With the adoption of the proposed Blockchain, the repositories could benefit from the computational power of small contributors, thus enabling more features for their end-users. Furthermore, this work presents a package search over peer-to-peer, computed on untrusted nodes, yet guaranteeing that the results are trusted. In this work, we present tests with a Blockchain holding more than 250 thousand packages, published over more than ten years of the ArchLinux distribution. Finally, we present a functional Blockchain that cohesively exposes more than four million package releases published over more than seventeen years of the PyPi catalog.