[racket] Worried about the new package manager not storing each version of a package

From: Jay McCarthy (jay.mccarthy at gmail.com)
Date: Mon Aug 26 08:36:09 EDT 2013

On Mon, Aug 26, 2013 at 12:57 AM, Lawrence Woodman
<lwoodman at vlifesystems.com> wrote:
> Hello,
> I have been really impressed with Racket after using it for a month, but am
> worried about the move away from a central repository for storing each
> version of a package.  I can see the advantage and simplicity of the new
> system, but worry that relying on package creators to manage their packages
> correctly could be creating a house of cards and see several problems with
> this:
>     i.  If a package owner releases a change that breaks the API
> (intentionally or
>         unintentionally), then the packages and applications that depend on
> it will no
>         longer function and will be unable to do anything about it. If each
> package
>         version was stored then anything that depended on it could specify
> that it
>         needs a previous version to work.

The users can do something. They can save their old version before
they upgrade and not continue if there is a problem. The package
system definitely supports "trials" like this, because it's easy to
locate the files you downloaded for the package. I don't recommend
blind updates in any package system.

>     ii. If the owner of a package stops hosting it then the scenario above
> would again
>        happen.

If a developer does not want to maintain or host a package, then I do
not feel we have the right to obligate them to do so or to allow us
to. If they license their code in a compatible way, however, a
passionate user could take it over.

>     iii.  When used with github, most people will point to their master
> branch, which
>          if being used collaboratively could be quite unstable.  The users
> of the package
>          probably won't have any knowledge of this and will only find out
> when their
>          applications or packages keep breaking.  The easiest way of
> thinking about this
>          is if we were all forced to work with the latest commits from the
> master branch
>          of Racket and there were no versioned releases.

I'm not sure what "most people" will do and I don't think I can
control it. People can point to master or they can use a different
"stable" branch. It's their choice and your choice as a user whether
you want to patronize packages that seem unstable.

>     iv.  It is hard to identify bugs and fix bugs while supporting users of
> a package if
>          you can't identify which version they are using.

You can ask users for the output of "raco pkg show" which contains the
checksum, which is the exact set of source they used.

> This is such a cause for concern to me because I'm developing an open source
> application to be used commercially and need to be able to maintain a
> certain level
> of stability.  I could just keep copies of stable packages, but this strikes
> me as
> going against the simplicity intended for the new package manager.

I'm not sure what you mean by "keep copies", but if you mean "install
working code and then test new releases of my dependencies before
upgrading everything", I think it is exactly the simplicity intended
by the package system.

> If Racket
> is to have any level of success commercially then there will be a lot more
> people
> and companies worried about this and hence it could really stifle commercial
> adoption.
> Has any thought been given to any of these problems and are there any plans
> to mitigate them?
> One easy improvement, when using github, is to allow/ensure package owners
> point to a
> specific release/tag .zip file and not worry about the checksum as nothing
> is going to
> change until a new release/tag is specified.

github sources do support pointing to a release or tag, because they
are the same as branches.


> Best wishes
> Lorry
> --
> vLife Systems Ltd
> Registered Office: The Meridian, 4 Copthall House, Station Square, Coventry,
> CV1 2FL
> Registered in England and Wales No. 06477649
> http://vlifesystems.com
> ____________________
>  Racket Users list:
>  http://lists.racket-lang.org/users

Jay McCarthy <jay at cs.byu.edu>
Assistant Professor / Brigham Young University

"The glory of God is Intelligence" - D&C 93

Posted on the users mailing list.