A deep technical breakdown of the six distinct stages of package installation: metadata fetching, dependency resolution, downloading, unpacking, building, and post-install hooks. Each stage has well-defined privilege boundaries around network access and code execution. The post examines how real-world package managers (npm, pip, Cargo, Go modules, Bundler) violate these boundaries — for example, pip historically running arbitrary setup.py files during resolution, or npm packages downloading prebuilt binaries in postinstall scripts. It also covers how Nix/Guix come closest to the clean model via sandboxed builds and fixed-output derivations, and discusses the consequences for supply-chain tooling, SBOM generators, and reproducible builds.
Table of contents
1. Fetching metadata #2. Resolving #3. Downloading #4. Unpacking #5. Building #6. Post-install #The model versus the implementations #Consequences for tooling #Sort: