[racket-dev] dependencies and racket

From: Neil Van Dyke (neil at neilvandyke.org)
Date: Thu Dec 29 21:50:51 EST 2011

Daniel Farina wrote at 12/29/2011 07:59 PM:
> The goal is that a program written, say, three
> years ago should be able to run the same way it did when it was
> written, so it's really useful to freeze all the dependencies into the
> file system somehow and preserve it.

Someone else can comment on any automated ways of ``compiling in'' 
PLaneT packages, and solutions like that.

A so-so solution I *don't* recommend... If you preserved the exact 
PLaneT linkage table, and were very careful, then I think you could 
preserve the exact versions of PLaneT modules used ("required" directly, 
and indirectly).  This assumes either: (1) integrity of the PLaneT 
server, and trust in your connection to it; or (2) preservation of the 
pertinent parts of "~/.racket".  Then you'd want to disable attempts to 
access the PLaneT server.  Perhaps, if you were to automate this, it 
could be done safely and reliably.

Something that has been done for a large Racket-based Web app on 
production servers is to manually determine all the PLaneT packages that 
are used, downloaded and extract these packages (in a directory scheme 
that preserves naming and version info), check it all into their 
configuration management system, change all the PLaneT module references 
to filesystem ones, check it into CM again, and audit.  PLaneT server 
access is always blocked, except for the manual download.  You can make 
simple tools to help automate the more mechanical parts of this (I don't 
know of any such tools publicly available at this time), but the audit 
is mostly human expertise-intensive.  This  cloning of PLaneT packages 
is not something that most people need to do, and it totally spoils the 
buzz of ``I'll just add a "(require (planet ...))" and bam!,'' but it's 
not too hard to do if you choose to.

PLaneT isn't my baby (I think Jay and Eli are leading it right now), but 
I'm looking into funding so that I can put solid chunks of time into 
helping with ways to improve PLaneT security.  Security is usually a 
constant consideration in my Internet consulting work.  Part of this 
tentative work will address your concerns about stability, and (in my 
current thinking) about having the option of removing PLaneT server 
dependencies for an app.  Much of this work has implications for some 
other network software distribution methods, so PLaneT is both a 
research testbed and an early practical beneficiary (much like Racket in 
general).  Stay tuned (I have a lot more experience in solving problems 
than in writing research grant proposals).


Posted on the dev mailing list.