Reverse Engineering Package Registries In The Middle Of Nowhere
10-27, 18:10–18:15 (Europe/Berlin), Main stage

There are many different package registries in different ecosystems. We rely on them so much now that we take them for granted. But how do they work, and what’s inside? This talk explores what makes package registries tick, and how to mirror them with integrity. We'll focus on Rubygems, but touch on NPM (JavaScript/Node), Hex (Elixir), Homebrew (macOS), Ubuntu (Debian) and Fedora (RPM).


Have you ever been in the middle of nowhere with almost no Internet .. and wanted to install a package?

I like to go to Railscamps in Australia. We get a bunch of software folks out somewhere remote and ideally have no Internet. And I'm the one who lugs along a Mac Mini stuffed with mirrors of all the big package registries, like Rubygems, NPM, Hex, Homebrew, Ubuntu, and Fedora. Because the official ways to mirror these things are broken, don't exist, or aren't designed for Australian latency, I reverse engineered a bunch of the registries and built mirrors out of sticky tape, shoelaces, and poor 3G coverage.

Let’s take a look at the big public package registries, what makes them the same, how they are different, and how HTTP still reigns supreme.

I'm a Principal Engineer at Buildkite, plugging together pipelines, artifacts, and packages, constantly looking for better ways to ship more reliable software to production.