The 'Tuesday test' is a simple heuristic for evaluating whether a package manager is truly declarative: given the same manifest, lockfile, and registry contents, can the install behave differently depending on the day of the week? If yes, arbitrary code runs somewhere in the install pipeline, making the manifest incomplete. The post surveys major package managers — Homebrew, Ruby/Bundler, Python, npm/JS, Rust/Cargo, Go modules, JVM tools, Swift, Zig, Bazel, Haskell, Nix, Guix, and system package managers — against this test. Almost all fail because build scripts, lifecycle hooks, or manifest files that are actually executable programs allow reading the clock, environment, or network. The few that pass (Deno, Go modules, Bazel, Nix, Guix) do so through deliberate design choices that restrict or sandbox arbitrary code execution during install.
Table of contents
Homebrew #Ruby #Python #JavaScript #Deno 🌮 #Rust #Go 🌮 #JVM languages #Swift #Zig #Bazel 🌮 #Haskell #Everything else with a manifest that’s a program #opam and Portage #System package managers #Nix and Guix 🌮 #Sort: