Supporting Spack package manager

[crtrott]

A package manager which has found significant adoption over the last few years (in particular in High Performance Computing) is Spack (https://github.com/spack/spack). It supports over 7000 packages and is geared towards resolving complex dependency chains with a focus on building everything from source.

It would be nice if Spack could be recognized by Scorecard as a packaging mechanism, though I am unsure how difficult this would be. Spack recipies are hosted on github though, and for github hosted packages it manages one would usually find an entry in its pacakge.py file similar to this:

git = "https://github.com/kokkos/kokkos.git"

version("master", branch="master")
version("develop", branch="develop")
version("3.7.01", sha256="0481b24893d1bcc808ec68af1d56ef09b82a1138a1226d6be27c3b3c3da65ceb")

I.e. it should be possible to simply search the package files of spack for matching entries to repository name/url, branch name and versions (tags).

Spack and Kokkos for what its worth are slated to be part of the High Performance Software Foundation umbrella in the Linux Foundation.

@tgamblin is the primary maintainer of Spack.

[spencerschrock]

It supports over 7000 packages and is geared towards resolving complex dependency chains with a focus on building everything from source.

It would be nice if Spack could be recognized by Scorecard as a packaging mechanism, though I am unsure how difficult this would be.

Is there any sort of publishing mechanism? Or are the packages managed via the repo contents (and PRs)?
https://github.com/spack/spack/tree/develop/var/spack/repos/builtin/packages

[tgamblin]

There's a builtin repo in the main Spack repository (which has the ~7500 packages). That's managed via PR ala Homebrew or nixpkgs.

Users also frequently have their own private/external package repositories layered on top of the builtin packages.

[github-actions]

This issue has been marked stale because it has been open for 60 days with no activity.