Using Content-Derived Names for Package Management in Tcl


Managing different versions of library routines has long been a problem, both for Tcl and for other languages that permit code reuse and modification (i.e., all computer languages that the authors are aware of). This problem is particularly difficult for Tcl because it allows libraries (in the form of packages) to be dynamically loaded as needed. While this feature is very convenient - users need only keep a single copy of each library to use it in many programs - it can lead to code compatibility and distribution problems.

This paper presents a solution for this problem - using content-derived names (CDNs) to name Tcl packages. Using this solution, a program can simultaneously use two different versions of a single package. In addition, the Tcl interpreter can easily find instances of a missing package over the network and download them, making them available to a running application. Because content- derived names are computed using a cryptographically strong hash over the text of a package, this process is safe from spoofing and other attacks based on providing the wrong library. Thus, a user may download missing packages from any server willing to provide them without fear of virus or trojan horse attacks.