[racket] Worried about the new package manager not storing each version of a package

From: Lawrence Woodman (lwoodman at vlifesystems.com)
Date: Mon Aug 26 02:57:05 EDT 2013


I have been really impressed with Racket after using it for a month, but am
worried about the move away from a central repository for storing each
version of a package.  I can see the advantage and simplicity of the new
system, but worry that relying on package creators to manage their packages
correctly could be creating a house of cards and see several problems 
with this:

     i.  If a package owner releases a change that breaks the API 
(intentionally or
         unintentionally), then the packages and applications that 
depend on it will no
         longer function and will be unable to do anything about it. If 
each package
         version was stored then anything that depended on it could 
specify that it
         needs a previous version to work.

     ii. If the owner of a package stops hosting it then the scenario 
above would again

     iii.  When used with github, most people will point to their master 
branch, which
          if being used collaboratively could be quite unstable.  The 
users of the package
          probably won't have any knowledge of this and will only find 
out when their
          applications or packages keep breaking.  The easiest way of 
thinking about this
          is if we were all forced to work with the latest commits from 
the master branch
          of Racket and there were no versioned releases.

     iv.  It is hard to identify bugs and fix bugs while supporting 
users of a package if
          you can't identify which version they are using.

This is such a cause for concern to me because I'm developing an open source
application to be used commercially and need to be able to maintain a 
certain level
of stability.  I could just keep copies of stable packages, but this 
strikes me as
going against the simplicity intended for the new package manager. If Racket
is to have any level of success commercially then there will be a lot 
more people
and companies worried about this and hence it could really stifle 
commercial adoption.

Has any thought been given to any of these problems and are there any plans
to mitigate them?

One easy improvement, when using github, is to allow/ensure package 
owners point to a
specific release/tag .zip file and not worry about the checksum as 
nothing is going to
change until a new release/tag is specified.

Best wishes


vLife Systems Ltd
Registered Office: The Meridian, 4 Copthall House, Station Square, Coventry, CV1 2FL
Registered in England and Wales No. 06477649

Posted on the users mailing list.