[Proposal] package publishing service and format

[FedericoCeratto]

Problem
The packages.json file is getting bigger. It could become slow to parse. It is awkward to edit. It requires contributors to have a GitHub account. It requires PR approval to prevent package hijacking.

Proposal
Precompute index files centrally: a -> k/v map, to look up packages by keyword/tag; Also a -> map. Ship the two indexes as binary/compressed files for fast transfer and fast lookup time.

Run a simple service similar to pypi.org to handle package creation/update and generate the indexes. Initially it could feed from GH and/or use GH as a backend to store the indexes.

future/moonshot goals
Store compressed tarballs of released packages (in case of dead repos).
Check URL / git repo existence before accepting a new package.
Let package owners sign metadata. Also use the signature to allow allow owners to update/delete packages without having to store logins and passwords.
Verify signed tarballs from GH (and other sources) against the owner pubkey.
A pool of "admin" pubkeys is allowed to update/delete other packages.
A pool of "contributor" pubkeys can vet trusted packages by adding a "vote +1" signature.
Nimble can warn before installing unvetted packages.

Related to nim-lang/packages#777

[dom96]

I think it's better we focus the conversation in nim-lang/packages#777. Going to lock this, feel free to repost there.