<div dir="ltr">Just my $0.01: it seems to me that the direction we're headed with the pkg system would make a great platform for exploring all kinds of practical security issues surrounding code and distribution (building a very nice research program, I mean). We already have good sandboxing facilities and this lets us explore how to best set those up and how to build web-of-trust type stuff on top of that.<div>
<br></div><div>Robby</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 4, 2013 at 1:02 PM, Sam Tobin-Hochstadt <span dir="ltr"><<a href="mailto:samth@ccs.neu.edu" target="_blank">samth@ccs.neu.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Neil,<br>
<br>
You clearly put a bunch of thought into this email, so I think it<br>
needs a response. I've changed the subject to put this in a new<br>
thread.<br>
<br>
On Fri, Jun 14, 2013 at 10:48 PM, Neil Van Dyke <<a href="mailto:neil@neilvandyke.org">neil@neilvandyke.org</a>> wrote:<br>
<br>
> For all of my packages, as well as any package I can imagine, I think that<br>
> the original PLaneT got many things right or close to right:<br>
<br>
Some of these features the new package system has:<br>
<br>
> * Files from a package-version end up grouped together in the directory<br>
> structure, specific to that package-version, and certainly not mixed into<br>
> directories with files from package-versions of different package-names.<br>
<br>
While collections now "splice", this is still true. When I install a<br>
package, it creates a new directory and everything goes there. For<br>
example, 'raco pkg install -i gcstats' produces the directory<br>
`/home/samth/sw/plt/racket/lib/pkgs/gcstats`.<br>
<br>
> * Flat namespace (let's ignore the PLaneT package-owner part for now),<br>
> without attempt to name packages according to some topical ontology.<br>
<br>
This is still true.<br>
<br>
> * Metadata in "info.rkt".<br>
<br>
Also still true.<br>
<br>
> * Some kind of unique package-name controlled by a developer.<br>
<br>
This is true to the same degree it was with Planet. That is, if you<br>
want to register your package at `<a href="http://pkg.racket-lang.org" target="_blank">pkg.racket-lang.org</a>`, then you have<br>
to have a unique name. Otherwise, you can locally install whatever you<br>
want and give it a name that conflicts, or run your own server with<br>
similar consequences.<br>
<br>
Some things are different:<br>
<br>
> * Multiple versions for a given package-name (I'll call them<br>
> package-versions in this email) can be installed, and there is some version<br>
> selection mechanism.<br>
<br>
This is no longer true, and this is where the new system differs from<br>
other systems such as 'npm' as well. I think this was, in fact, a<br>
major _problem_ with Planet, and one that I'm personally glad the new<br>
system doesn't have. I think there are a few problems with what<br>
Planet did:<br>
<br>
1. Many packages can't really work with multiple versions in the same<br>
program, whether because of generative structs, or files used, or many<br>
other issues.<br>
<br>
2. The way Planet versions were selected was mostly hardwired, and<br>
everything was hard to upgrade.<br>
<br>
There were other problems, too, but these are the ones I remember<br>
being most significant.<br>
<br>
However, I _think_ (the documentation is pretty terse) that the<br>
`--scope-dir` option to `raco pkg install` can help you simulate a<br>
more npm-like workflow.<br>
<br>
> I was expecting to use this original PLaneT as a starting point, and evolve<br>
> it in ways like the following...<br>
><br>
> * In addition to the "(planet ...)" require-specs, package-versions also can<br>
> come from "http:", "https:", and "git:" URLs. ("github:" would also be OK.)<br>
> Each such URL would identify trees or a tarball. Then we see how people<br>
> choose the PLaneT server vs. HTTP vs. Git over time.<br>
<br>
Package dependencies can be specified with URLs, which can specify<br>
remote directories, or remote ZIP (or tar etc) files, or local files<br>
or directories, or GitHub repositories. I hope to add support for<br>
arbitrary git remotes soon (if the `git` binary is available).<br>
<br>
> * Maybe improve the version-selection and compatibility support.<br>
> Investigate whether it's worthwhile to separate out the<br>
> backward-compatibility information from the static package-version<br>
> distribution (and especially from the version number), or whether in<br>
> practice there are simpler ways that are satisfactory.<br>
<br>
I think decoupling the source code from the version specification is<br>
exactly the improvement wanted here.<br>
<br>
> * Maybe a facility in "info.rkt" to provide aliases for require specs.<br>
> Otherwise, people writing nontrivial multi-file code that uses other<br>
> packages from PLaneT/whatever end up having to make wrapper modules so that<br>
> we don't goof our require-specs and accidentally depend on multiple<br>
> package-versions for the same package-name. Note that, with URLs, these<br>
> aliases *might* be the only actual package-name construct in the HTTP/Git<br>
> system as distinct from URL similarities of package-versions. This info<br>
> might be implicit in a package-version's "info.rkt"'s reference to a<br>
> previous package-version, perhaps coming from an assertion of compatibility<br>
> info. This might be simpler than it might sound, but it has some<br>
> interesting implications, including for forking and web-of-trust.)<br>
<br>
Again, this is addressed by no longer having Planet's treatment of<br>
versions and require specs.<br>
<br>
> * Simple web-of-trust package-version public-key signing of package-versions<br>
> (e.g., URLs plus hashes of contents), to start with, perhaps initially with<br>
> only centralized repository for signatures. Soon build distributed<br>
> web-of-trust, plus multiple repositories so organizations have option to<br>
> keep their signatures separate. Build mechanisms atop that, including<br>
> advancing the state of the art.<br>
<br>
I think package signing is something we'll eventually need, but I also<br>
don't think it's on the critical path. It's also possible to add to<br>
the package system in the future.<br>
<br>
<br>
> * Automate and simplify releasing in general. With PLaneT, it's been<br>
> not-unusual for even core Racket developers to avoid releasing some add-on<br>
> code to PLaneT, perhaps because the clerical stuff was a headache. For the<br>
> old PLaneT, I was simplifying this with McFly, but with new a package<br>
> mechanism, I would start with that and then ask what clerical parts still<br>
> need help. (For example, if doing development in an SCM repository that's<br>
> accessed directly via require-specs, then releasing a package-version might<br>
> consist mainly of adding a tag/label. <a href="http://planet-lang.org" target="_blank">planet-lang.org</a>'s directory might<br>
> even update automatically, given info about a previously-released<br>
> package-version of the same package-name.)<br>
<br>
The new system is much much much easier to release packages for. For<br>
starters, this is a working package:<br>
<br>
<a href="https://github.com/samth/add-blaster" target="_blank">https://github.com/samth/add-blaster</a><br>
<br>
You can install it with `raco pkg install<br>
github://<a href="http://github.com/samth/add-blaster/master`" target="_blank">github.com/samth/add-blaster/master`</a> (I hope we can make that<br>
command line shorter).<br>
<br>
Second, you can add this to `<a href="http://pkg.racket-lang.org" target="_blank">pkg.racket-lang.org</a>` with a few clicks.<br>
This can be automated once <a href="http://pkg.racket-lang.org" target="_blank">pkg.racket-lang.org</a> has an API. Further, it<br>
automatically updates when the GitHub repository changes.<br>
<br>
> * Use submodule support to support single-file packages, at least for the<br>
> HTTP/Git package-versions. "(module+ info ...)". It seems from Emacs<br>
> history that some people really like the single-file module, it lowers<br>
> barriers, and now submodules give us an easy way to finally do it.<br>
<br>
This is potentially an interesting idea, although the info.rkt file<br>
format is quite restricted to enable reading it without running<br>
arbitrary code, and this might be hard to integrate with submodules.<br>
<br>
> * Do whatever is necessary to avoid blocking the program for<br>
> few/several-minutes while documentation is reformatted, when requiring an<br>
> uncached package-version. Maybe even moving it to an async process that's<br>
> run when idle (Unix "nice"?) would work.<br>
<br>
First, the split between documentation and code for many packages will<br>
help here. Second, I think this is a lower-level issue than the<br>
package system -- in-tree builds have this issue too.<br>
<br>
Also, what program is being blocked here? The installation process? DrRacket?<br>
<br>
> * To put it vaguely: keep things simple in most cases, but don't dumb-down<br>
> in practically restrictive ways, and keep an eye out for places to<br>
> experiment with potential big wins for immediate practice or research. Some<br>
> things I just mentioned above would surely need refinement/exclusion based<br>
> on this principle. For another example, I heard some comments at one point<br>
> about a package name being an interface, and multiple sources being able to<br>
> provide implementations matching that interface. I don't know the current<br>
> plans for that, but I wouldn't make any special mechanism for that. For<br>
> another example, don't try to dumb-down package-names, as if the first<br>
> person to make a package concerning the generic concept "foo" has the<br>
> be-all-end-all package for all things "foo".<br>
<br>
Package names aren't interfaces, but modules names (like `data/list`)<br>
can be thought of that way, and multiple packages can provide the same<br>
one. However, this kind of overlap is discouraged.<br>
<br>
I'm not sure what would be a less 'dumbed-down' but still flat<br>
namespace. Do you have example suggestions? The flat namespace has<br>
worked well with other languages with huge numbers of packages.<br>
<br>
> * Some Web directory of software on "<a href="http://planet-lang.org" target="_blank">planet-lang.org</a>" (with JSON dump and<br>
> maybe query), which includes both PLaneT packages together with the HTTP/Git<br>
> packages that people have chosen to list in the directory. It's a "this is<br>
> all the Racket packages we know about, and probably easier to find via<br>
> search here than via Google." (Eventually, this would be hooked up to the<br>
> site-wide search feature for "<a href="http://planet-lang.org" target="_blank">planet-lang.org</a>", together with other<br>
> categories of other searchable Racket-related info that we identify. Then<br>
> DrRacket search could be hooked up to that.)<br>
<br>
Currently, `<a href="http://pkg.racket-lang.org" target="_blank">pkg.racket-lang.org</a>` doesn't include the contents of<br>
`<a href="http://planet-compat.racket-lang.org" target="_blank">planet-compat.racket-lang.org</a>`, but I suppose it could. It's already<br>
searchable.<br>
<br>
I hope that's helpful for clarifying some of the current design, and<br>
it's great to have feedback from a heavy user of Planet.<br>
<br>
Sam<br>
_________________________<br>
Racket Developers list:<br>
<a href="http://lists.racket-lang.org/dev" target="_blank">http://lists.racket-lang.org/dev</a><br>
</blockquote></div><br></div>