Developers are relying on the use of distributed repository tools like maven, and repository managers like Nexus and Artifactory. Microsoft has a similar approach built into Visual Studio. This approach makes it very easy for one to use many different pieces of software without knowing what the dependency tree is. When using these services one is making the following assumptions.
- The code from the repository is the actual code intended to be there from non malicious developers.
- One is using code that abides by other constraints for example licensing.
There are a number of assumptions and questions one can question and or improve about Maven type systems. Maven is a general term for specification of dependencies using some formal declarative language and a system of hosting these artifacts in a large distributed network. Add additional attributes to the maven process so one can ask additional questions. Some hypothetical questions.
- How was it tested
- What are the licensing policies
- What is the quality of the source code management
- who are the developers and committers
- What are the reported bugs against the source code base
- Additional features that are not implemented.
Ideally a general approach allowing one to ask arbitrary questions would be ideal. Perhaps some of the approaches with Semantic Technologies would be useful