Package managers are legion. Every programming language and operating system has its own solution, each with subtly different semantics for dependency resolution. This fragmentation prevents multilingual projects from expressing precise dependencies across language ecosystems; it leaves external system and hardware dependencies implicit and unversioned; it obscures security vulnerabilities that lie in the full dependency graph. We present the \textit{Package Calculus}, a formalism for dependency resolution that unifies the core semantics of diverse package managers. Through a series of formal reductions, we show how this core is expressive enough to model the diversity that real-world package managers employ in their dependency expression languages. By using the Package Calculus as the intermediate representation of dependencies, we enable translation between distinct package managers and resolution across ecosystems.

翻译：包管理器种类繁多。每种编程语言和操作系统都拥有各自的解决方案，其依赖解析语义存在微妙差异。这种碎片化导致多语言项目无法跨语言生态表达精确依赖关系；使得外部系统与硬件依赖处于隐式且无版本状态；同时遮蔽了完整依赖图中潜在的安全漏洞。本文提出《包演算》——一种统一各类包管理器核心语义的依赖解析形式化模型。通过一系列形式化规约，我们证明该核心模型足以表达实际包管理器在依赖描述语言中采用的各种机制。将包演算作为依赖关系的中间表示，可实现不同包管理器间的相互转换及跨生态系统的依赖解析。