The Future of Managing Swift Dependencies | A New Era for Developers

  • Jun 27 2024
  • 30 mins
  • Swift, Swift Package Index, Dependency Management

Things you’ll learn

  • Expert Insights: Hear directly from Dave Verwer, co-creator of the Swift Package Index, about its development and the potential future of a Swift Package Registry.
  • Feature Showcase: Learn about Cloudsmith's new Swift capabilities, including package hosting, vulnerability scanning, dependency management, policy management, and package distribution.
  • Stay Ahead: Consolidate all of your teams and activity into one central platform, increase productivity and simplify software artifact management with Cloudsmith's new support for Swift.


Dave Verwer
Dave Verwer
Co-creatorSwift Package Index
Liana Ertz
Liana Ertz
Product ManagerCloudsmith
Dom Katavic
Dom Katavic
Senior Software EngineerCloudsmith


Special guest Dave Verwer, co-creator of the Swift Package Index, will join us to discuss his role in developing the Swift Package Index for the community and the potential future of a Swift package registry. We will showcase Cloudsmith's newly released support for Swift, highlighting features like package hosting, vulnerability scanning, dependency management, and policy management. Discover how Cloudsmith's new capabilities can revolutionize the way Swift developers manage dependencies. Don't miss this opportunity to stay ahead in the ever-evolving world of Swift!


  1. 00:00:00
    Liana Ertz: Hey everyone and welcome to today's webinar on the future of managing Swift dependencies. We're thrilled to have you with us. My name is Liana Ertz and I'm a product manager here at Cloudsmith and your host for the session today. So today we've got a great session lined up for you all.
  2. 00:02:56
    Liana Ertz: I'm delighted to be joined by Domagoj Katavic, who is one of our senior software engineers and one of the key members of the team that helped deliver our new Swift support. I'm also delighted to be joined by Dave Verwer, a co creator of the Swift Package Index. As well as being a co creator of the Swift Package Index, Dave is the creator of iOS Dev Weekly and an independent and freelance writer and iOS developer.
  3. 00:03:17
    Liana Ertz: So welcome to both of you, and thank you so much for joining us today. If anybody Nice to be here, thanks. Brilliant. Thanks, Dave. If any of you joining have any questions throughout the session, then please feel free to drop them into the chat. And if you're watching us on LinkedIn, Twitter, or YouTube, then please be sure to give us a like and a repost.
  4. 00:03:37
    Liana Ertz: So I think we can jump right in. Dave, maybe you can start us off by just giving us an overview of Swift and the significance it has today in software development.
  5. 00:03:44
    Dave Verwer: Sure thing. So Swift, I mean, it still in some ways feels like a new language, but it actually just celebrated its 10th anniversary.
  6. 00:03:51
    Dave Verwer: So, been around for 10 years. It's it's, I don't think it can be called a young language anymore. So it is a it is often associated with Apple platform development, iPhone apps, Mac apps but it is a general purpose programming language that also supports non Apple platforms. Linux support has been around for a long time now.
  7. 00:04:11
    Dave Verwer: And there's, there's support also for Windows which is a more recent development but also for WebAssembly as well. It can run on everything from obviously laptops and desktops and phones and tablets right through to embedded systems that can be doing it, going anywhere from the smallest.
  8. 00:04:31
    Dave Verwer: I think I, I read the other day that it can run on a, The smallest Raspberry Pi, the Pico, is it? Which is a tiny, tiny little machine. So it really is a general purpose language. It's also a very modern language. So it has lots of features around safety. So There's a big well, there used to be a big problem with, with before Swift came along with, with referencing kind of null pointers and things like that.
  9. 00:04:53
    Dave Verwer: There's, there's none of that with Swift. It's a, it's a modern safe strongly typed language. That that, yes. And then [00:05:00] recently Swift 6, which is just in beta at the moment. So this is a new version that's coming along. The big focus for Swift 6. is on concurrency. Not adding concurrency, that's been around for a little while, but safety in concurrency.
  10. 00:05:16
    Dave Verwer: So if you switch the Swift 6 language mode on in the Swift 6 compiler, you can get warnings when you write code which is prone to data races, and if you have none of those warnings, then your code is data race safe, kind of guaranteed by the compiler. So, Yeah, that's a quick, quick overview of a little bit of history and also where it's going.
  11. 00:05:39
    Liana Ertz: Brilliant. And yeah, it's definitely clear to see that Swift is only growing in popularity. It's crazy to think 10 years it's already been around. So what, what led you to begin creating the Swift Package Index?
  12. 00:05:52
    Dave Verwer: So Before the Swift package manager arrived so Swift as a language was introduced before there was a package manager for it, a native package manager for it.
  13. 00:06:01
    Dave Verwer: There was a a community run package manager called Cocoapods. And what that did was it had the mechanism for both including the packages, the dependencies in your application, but it also had a website where you could search for and read information about the packages and that kind of thing.
  14. 00:06:19
    Dave Verwer: So they were kind of combined together. When Apple package manager as a native package manager for Swift. It, it purely did the the, the, the mechanics of bringing the dependencies into your application and building them. And so I thought, well, I wonder if there's, There's going to be a need for a front end to this where we're indexing packages, looking, helping developers find the best packages to, to, to meet their dependency needs.
  15. 00:06:49
    Dave Verwer: And so that was the idea behind it originally. And that we, well, I, I made a, a small prototype of that in 2019, but the Swift package index as it is started in early 2020. And has sort of established. And has been growing over the last four years. Yeah.
  16. 00:07:10
    Liana Ertz: Okay, nice. And what are some of the main benefits that the Swift community can get out of the Swift Package Index?
  17. 00:07:17
    Dave Verwer: Sure. So I think There are a couple of really key things that we do. The first is package discovery. So, if you have a need for a dependency in your application, on any platform we have search, and we have lots and lots of Swift specific metadata. So, things like we're looking in in fact actually to take the example I used in the introduction there of Swift.
  18. 00:07:42
    Dave Verwer: We've just recently implemented a feature that looks at your package and checks it for these database errors. And so we're showing on the package metadata page this package is free from database errors or not yet free from database errors. So lots of [00:08:00] very Swift specific metadata. All designed to help you make a quick decision on whether you want to investigate a package further.
  19. 00:08:07
    Dave Verwer: So, for example, the kind of thing we concentrate on is how old is this package? Is it recently maintained? Has it had lots of releases? Is it, is it a, young package. Is it a mature package? Who wrote it? We, we serve as author information. So lots and lots of metadata like that. We also track all the versions of that package as well.
  20. 00:08:29
    Dave Verwer: So you can instantly see whether there is a stable release. Is there a current beta release for that package? Is it just operating off the main branch or something like that? Instantly accessible. And then one of the big things that we do, which is kind of hidden behind the scenes, a lot of it is behind the scenes, and it surfaced in a tiny little matrix on the package page, but there's a lot behind that, is we're running Constant compatibility builds on a kind of CI system that we have behind the scenes.
  21. 00:09:00
    Dave Verwer: So every time a package author pushes a new version of a package, either a new tagged version, or if they just push to their default branch, we will grab that version of the package, we will compile it for a A huge permutation of, of platforms and Swift versions. So we use the most recent four Swift versions, and I think we're currently on six different platforms, iOS, macOS, visionOS, watchOS, tvOS, Linux.
  22. 00:09:29
    Dave Verwer: And we do compilations. For all Swift versions and all platforms, and we build up a set of compatibility information. So, you can know for sure, because we've compiled it and had a successful compilation, that it does work with Swift 5. 10, it does work with Swift 6, it does work on iOS. And so that's a huge thing, and that actually allows us to build the next big feature package in Next, which is we also host documentation.
  23. 00:10:00
    Dave Verwer: Apple have a documentation system called doc C which is an open source project that Apple created. And what that will do is it will take code comments in your package and build you an HTML version of the documentation, a documentation site for your for your package.
  24. 00:10:17
    Dave Verwer: What we'll do. is we'll take care of hosting that and building it and generating it for you. If you opt in as a package author, just literally just switch it on with a, by telling us what, telling us to generate your documentation basically we will build that build your package and then generate your documentation and host it.
  25. 00:10:39
    Dave Verwer: We also host all the old versions of your documentation automatically. So the whole thing is just completely taken care of for you. And that, that's really where we're seeing a lot of growth at the moment is in, in documenting people. Moving their documentation into the Swift Package Index.
  26. 00:10:55
    Liana Ertz: Okay, nice. And when we're talking about Swift, the terms like index and registry are often talked about. Can you maybe discuss just a little bit of what the difference is between these two terms in relation to the Swift community?
  27. 00:11:07
    Dave Verwer: So, it is a, a potentially confusing subject because it's it's in some pa in some languages package management is environments, they are the same thing.
  28. 00:11:17
    Dave Verwer: But the Swift, they, in, in Swift, in the Swift environment, they are kind of separated apart a little bit. And there is a one or more package registries that are a, that you're able to use with with the Swift package manager. And a package registry is The kind of artifact storage of the built, the built versions of a package like this is package A version 1.
  29. 00:11:44
    Dave Verwer: 1. It was published as package A version 1. 1. And it's not coming from a Git repository. Swift Package Manager can also Pull packages from a Git repository and not use registry. And that's generally how people have been operating so far. But now we have the ability to have registries that have kind of repositories of lots of kind of packages ready to go.
  30. 00:12:09
    Dave Verwer: All not using Git anymore. The artifacts are actually stored in the registry. A package index sits on top of all those registries. So, I can run a registry, you can run a registry, somebody else can run a registry, everybody can run registries. And SwiftPM can also pull from Git repositories. And the index, what we see as our job, is to aggregate all those things together and provide a way for people to find the packages that are in those registries.
  31. 00:12:39
    Dave Verwer: So, the SwiftPackageIndex is not currently serving any files. For the packages themselves, currently they're all coming from GitHub. So when you add the package, we give you the GitHub URL. You put that into Xcode or your package manifest, and it will pull directly from GitHub in the future, you could also put a.
  32. 00:13:00
    Dave Verwer: Package registry identify it in there and pull that data from a registry. But the index is kind of on top of all of that together.
  33. 00:13:09
    Liana Ertz: Okay, nice. And I guess just while we're touching on the topic of Swift registry, can you give us maybe your thoughts on the potential of a future you see there? And do you see a project like that as kind of a natural advancement for the community and kind of what's to come in the future?
  34. 00:13:26
    Dave Verwer: I mean, registries include several really key features that are very important for a secure and performant package ecosystem. So when, and this was, this is part of the registry spec, so part of the package registry specification, that if you make a package registry you must implement this as well, is that Packages must be immutable so that so currently with a Git repository you could push a version 1.
  35. 00:13:57
    Dave Verwer: 0 of your package [00:14:00] and then because Git repositories, because Git repositories can have their tags moved through history, you could change what that version 1 was pointing at, which is obviously a kind of, a problem. I think well, it's less than ideal. Let's put it that way. Registries are kind of immutable, but once, once a package is, is set into the registry, then you know that you're getting the version as it was published by the package author at the time that they decided to publish it.
  36. 00:14:32
    Dave Verwer: So security Supply chain security, that whole, it's a, it's an enormous topic and, and registries really, really help with that problem. The second one is performance. So rather than pulling down an entire Git repository with all the history and all the rest of it you're just pulling down just the artifacts that you need into your machine so that you can build those packages.
  37. 00:14:55
    Dave Verwer: So I think those are the main, the main advantages.
  38. 00:14:59
    Liana Ertz: [00:15:00] Okay, brilliant. And then what about the, the kind of the pain points that you've found with the Swift package index and, and maintaining it over time?
  39. 00:15:08
    Dave Verwer: I mean, every project that you that you build comes with pain points, right? If it was, if it were easy, you wouldn't be doing it. Think, I think it's the kind of thing that obviously as an open source project, because the Swift package index is itself the, a large part of, of, of running a successful open source project is finding the time and the resources to keep it going. And we're very lucky to be supported by several corporate sponsors, including Apple, and they kind of keep us Keepers able to constantly kind of improve it and work on this.
  40. 00:15:39
    Dave Verwer: We also have a lot of infrastructure support from Microsoft Azure and Mac Stadium. And so, so there are, it's, it's more than just the two of us. So I have my, my Partner in crime Sven Schmidt, who also works on the project with me. He was not here today, but but it's absolutely instrumental to the project and, and we have, but we [00:16:00] have behind us contributors and supporters that kind of keep the project moving forward.
  41. 00:16:05
    Dave Verwer: And I think, I think one thing that has come, become apparent to us that maybe wasn't apparent when we first started was how much of a an ops problem running a site like this would be, especially as soon as we, so running a website is okay. You serve some web pages, you have a database. It's all kind of like, we've all done that before.
  42. 00:16:24
    Dave Verwer: But once we started to build this build management system on the back end, and then the documentation building system on the back end, it is, it is a constant job to kind of keep that stuff operational. So, but, but we do so yeah, we do.
  43. 00:16:40
    Liana Ertz: Yeah. And like you said, if everything was easy, then no one would do it.
  44. 00:16:43
    Liana Ertz: So and then I guess if you had kind of a list or a wishlist for the future of the Swift Package Index, what, what's top of that? What, what would you have on that list?
  45. 00:16:55
    Dave Verwer: I think from here it's, it's about growth in terms of obviously the [00:17:00] package ecosystem itself. is growing. Swift Package Manager has been around for a little while now but it has really started to pick up speed in terms of adoption in the last few years.
  46. 00:17:10
    Dave Verwer: And so we're seeing huge growth in the package ecosystem. But we're also seeing, seeing growth in things like documented packages. So the, the number of packages that, that adopt Our documentation hosting system as they add themselves to the registry. Sorry, you know how confusing indexes and registries are?
  47. 00:17:30
    Dave Verwer: I've just used the wrong word.
  48. 00:17:35
    Dave Verwer: So as people add themselves to the index we kind of advertise that you can also have us compile your documentation for you and, and that's really working. People are opting in and what we're hoping to create is. A really dependable package ecosystem for Swift. That's what's really important to us.
  49. 00:17:54
    Dave Verwer: Having the support of the package authors, so supporting the package [00:18:00] authors in allowing their packages to be discovered supporting them in terms of allowing us to take care of what can be quite It's a tricky process of getting documentation hosted on other sites, whether it's your own website or GitHub pages or something like that.
  50. 00:18:14
    Dave Verwer: So we see, we see lots of growth in, in all those areas. And then we're also doing projects like, we actually just launched a project about two weeks ago, which is again to kind of help the ecosystem get on top of new Swift features. So, as I mentioned in Swift 6. There are these data race safety warnings.
  51. 00:18:34
    Dave Verwer: And we have a separate page on our package index website, which is tracking the progress of all packages in the entire ecosystem as they, as they fix some of the data race errors. We can see it literally because we're constantly building these packages in the background. We can see the package index the package ecosystem Becoming more data race safe.
  52. 00:18:57
    Dave Verwer: So little kind of individual projects like that as well.
  53. 00:19:00
    Liana Ertz: Okay, nice. Yeah, I was just going to say just just as we're on it, is there anything you kind of want to share in terms of what you guys are working on this year or things that the community can can hope to see in advancements to the Swift package index or everything you're doing around documentation?
  54. 00:19:17
    Dave Verwer: Yeah, I think if you're going to go and have a look at the package index at the moment, the most recent thing that we have for you is is the Ready for Swift 6 page, which is linked prominently in a banner on the homepage of the package index site, and will be for the remainder of the summer, because this is, This is the summer's project.
  55. 00:19:34
    Dave Verwer: In fact, right now, as we speak we're processing 90, 000 builds using the, the fresh beta of Xcode, which just came out yesterday. So we kicked off a whole new set of compatibility testings and they're currently crunching away providing results as, as, as we go.
  56. 00:19:53
    Liana Ertz: Okay, brilliant. Well, thank you so much for those insights, Dave.
  57. 00:19:57
    Liana Ertz: I think this is probably a good segue kind of into [00:20:00] the next topic that we just wanted to chat about which is the details on Cloudsmith's new support for Swift. So as I mentioned at the beginning of the session, Dom here was pivotal in helping deliver our new Swift support. So Dom, if I can pass it over to you and maybe have you talk to us a little bit about how Cloudsmith new support for Swift can help make a developer's life a little bit easier.
  58. 00:20:21
    Domagoj Katavic: Yeah. So there are a few benefits. They've already mentioned some of them. So for example, performance improvement so dependency resolution is going to be much more efficient. You are essentially issuing few HTTP calls instead of running git clone for each package. Then you're going to have immutable artifacts.
  59. 00:20:38
    Domagoj Katavic: And another thing they mentioned, which is like a really big thing is securing your software. I'm going to just demo what we are doing regarding that. So for each package we're going to run the malware scan. We're going to run the security detection and let me demo that.
  60. 00:20:59
    Domagoj Katavic: [00:21:00] Okay, cool. So this is the fifth registry we have. I have uploaded three popular fifth packages. And what you can notice is that there is a badge next to the name. Green badge. It usually means okay. The red one means we found some vulnerabilities on a package. And on Apple's package, 5th Neo HTTP 2, we found some vulnerabilities.
  61. 00:21:20
    Domagoj Katavic: And don't worry, this is an older version of our package. The latest one has these vulnerabilities fixed. So in this scan step, like, we're gonna surface what we found in this case. So we found that this package is vulnerable. We found five vulnerabilities and the maximum severity. And usually what you want to do in this scenario is you want to evaluate each one of these vulnerabilities.
  62. 00:21:41
    Domagoj Katavic: So that's why we surface information like CV information details, like what's the fixed version, if it's available, extra references for you to investigate. And to keep your registry safe, you don't want to do these actions manually and then remove a package. You want to automate all of this. And that's why we built the vulnerability policies.
  63. 00:22:03
    Domagoj Katavic: So the purpose of that is to automatically block downloads of every package on the registry that meets some vulnerabilities criteria. So in this example, I'm going to create a vulnerability policy. You can scope what you're going to target with the package query, and then you can see set vulnerability threshold.
  64. 00:22:23
    Domagoj Katavic: So if I set it to high, it's going to block Apple's package from downloading. And similar to this, we built the license policies. So you want to probably block some packages that have some really expensive licenses. And in that case, you can easily create a license policy and you can select which licenses you want to block.
  65. 00:22:47
    Domagoj Katavic: And another benefit from moving from Git to registry is it gives you a possibility to control your distribution network. So let's say if you have clients and that are consuming your private packages, you probably want to control what they are downloading and how often they are downloading. So for that purpose, we built entitlement tokens.
  66. 00:23:07
    Domagoj Katavic: You can create a token per client, for example, and on each token you can apply visibility restrictions. So that means what can a client download and then. Usage restrictions. So that means how frequently can they download something and they can you can enforce requiring ULA policies for that. Yeah, and the last benefit I want to mention is the upstream proxying.
  67. 00:23:32
    Domagoj Katavic: So at the moment there is no canonical Swift registry. Something like, let's say, PyPy or NPM, but we built this feature. So what it allows you to do is to create upstream for any Swift registry, being it private. or public. And I have this example Cloudsmith registry. It's got only one package, so it's not going to be of a lot of use for now, but you can, it's super easy to set up.
  68. 00:23:57
    Domagoj Katavic: You can select a mode for it and then authentication.
  69. 00:24:00
    And just the last bit, I'm going to just show how easy it is to set Swift registry. We have contextual docs and you are required only to run two commands. First one is Swift package registry set, which sets the registry, and then the second command is login to login.
  70. 00:24:17
    Domagoj Katavic: And the only thing, the only change you need to do on your manifest file is change the git url of a package with id. So in this example, I have swift app with two swift packages and I'm gonna run swift build to build an app from using dependencies from Cloudsmith registry. Yeah, and you can see it running here.
  71. 00:24:41
    Domagoj Katavic: Yeah, I hope this is enough to entice developers to give it a try.
  72. 00:24:49
    Liana Ertz: That's amazing. Thank you so much, Tom for that overview and demo. And Dave, also, just a massive thank you today for sharing your insights and perspective. It's really great to kind of get [00:25:00] your thoughts and hear everything that you have to say. To say about where the Swift Package Index is going and, and kind of just what a great contributor you've been to that community.
  73. 00:25:08
    Liana Ertz: So thank you so much for your time to chat. So, I'm not sure if either of you guys have any kind of closing thoughts or comments. But I do want to say a massive thank you to both of you for giving us your time today.
  74. 00:25:22
    Dave Verwer: More than welcome. Thank you.
  75. 00:25:24
    Liana Ertz: Brilliant. So if any of you would like to learn any more about Cloudsmith we've got an awesome platform overview demo.
  76. 00:25:30
    Liana Ertz: You can watch it on demand anytime. You just need to scan the QR code below. But also feel free to reach out to us directly. We're always, always happy to chat. So again, thanks Dom and Dave and thank you all for joining today. Hope everyone has a great day. Thanks guys.