| 1 |
On 11/20/2014 04:03 AM, Rich Freeman wrote: |
| 2 |
> On Wed, Nov 19, 2014 at 7:36 PM, hasufell <hasufell@g.o> wrote: |
| 3 |
>> |
| 4 |
>> But keep in mind that the core is supposed to shrink with this idea of a |
| 5 |
>> distributed model! So it would be less work to actually roll/tag |
| 6 |
>> releases than it would be right now (or even do that stuff in branches). |
| 7 |
> |
| 8 |
> This doesn't really make the issue go away. Are all dependencies |
| 9 |
> going to have to stay in the core? |
| 10 |
|
| 11 |
no, why? |
| 12 |
|
| 13 |
> That is a lot of packages, and |
| 14 |
> we'll need lots of controls so that updates to those dependencies |
| 15 |
> don't break all of these distributed repos whose existence we may not |
| 16 |
> even be aware of. |
| 17 |
> |
| 18 |
|
| 19 |
You are exaggerating, imo. We already have these breakages in the tree, |
| 20 |
because a lot of teams do not communicate, including security bug fixes |
| 21 |
on libraries that break 20+ packages of a different subsystem (including |
| 22 |
stable packages, multiple times). |
| 23 |
Also, no one tests all reverse deps when bumping a package in ~arch. |
| 24 |
|
| 25 |
Whether these packages live in one repository or several almost doesn't |
| 26 |
make any difference, as long as there is communication. |
| 27 |
|
| 28 |
It took me 5 minutes to communicate that libsdl2 is not going to be |
| 29 |
slotted in the tree to all major overlays that had libsdl:2 packaged. |
| 30 |
They fixed it within 30minutes. That's ~50 times faster than what I |
| 31 |
expect in the tree. |
| 32 |
|
| 33 |
It's not really an issue to have communication channels and a community |
| 34 |
infrastructure for those things. |
| 35 |
|
| 36 |
Sure, these things sound scary if you imagine overlays with 10+ overlay |
| 37 |
dependencies. |
| 38 |
But first of all, you don't really depend on an overlay just because you |
| 39 |
need a few packages from it. If it matters where that package actually |
| 40 |
comes from, then there is either something wrong with your own package |
| 41 |
(e.g. because it requires a hacked version of a lib) or something is |
| 42 |
wrong with the list of high-quality overlays, because some of them ship |
| 43 |
broken/hacked libraries. |
| 44 |
|
| 45 |
It's up to the PM to give suggestions on possible dependencies/overlays |
| 46 |
that contain the missing package. (that's what paludis already does) |
| 47 |
|
| 48 |
> Or, maybe we allow the dependencies to be in the overlays. Now we |
| 49 |
> have the issue that there might be 5 different editions of that |
| 50 |
> floating around, and different packages depend on different ones, but |
| 51 |
> they're not intended to co-exist. Oh, and you still have the problem |
| 52 |
> that if the dependency changes it could break anything that uses it. |
| 53 |
> |
| 54 |
|
| 55 |
It's debatable whether that is an actual technical problem to be solved |
| 56 |
or just a reason to mark that overlay low quality. |
| 57 |
|
| 58 |
> |
| 59 |
>> |
| 60 |
>> Exherbo is already running a more modular approach, I'd be interested |
| 61 |
>> what they have to say about this or which problems they were facing. |
| 62 |
>> I'll probably also dig a bit deeper into NixOS and see what tools they |
| 63 |
>> use for creating NixOS based distros. |
| 64 |
>> |
| 65 |
> |
| 66 |
> I'm not sure how Exherbo is doing things, I'm certainly interested in |
| 67 |
> their comments. |
| 68 |
> From what I've read about Nix, it basically installs |
| 69 |
> every package-version into its own directory tree, so if zlib is in 75 |
| 70 |
> different repositories, and has 2 SONAMEs in use, then you'll have up |
| 71 |
> to 150 copies of it installed on your system each in its own directory |
| 72 |
> tree, assuming you have 150 packages each using a different fork of |
| 73 |
> it. I'll optimistically assume that only half of them contain |
| 74 |
> security issues. :) |
| 75 |
> |
| 76 |
> That is my issue with some of these more devops-oriented approaches |
| 77 |
> that try to bypass the centralized distro. They make things really |
| 78 |
> easy for developers, but they seem almost impossible to control from a |
| 79 |
> patching/security/integration standpoint. People have brought up |
| 80 |
> things like Android and iOS and their framework model as a solution, |
| 81 |
> but all the examples of this I've seen are all focused on the |
| 82 |
> presentation layer alone. It is great for a mobile app that doesn't |
| 83 |
> do anything but open sockets back to a server and display widgets. If |
| 84 |
> you're actually building the part of an application that does the real |
| 85 |
> logic/work, then suddenly you find yourself caring about a lot more |
| 86 |
> than list controls. Good luck finding a framework that includes |
| 87 |
> everything in /usr/portage/*-libs |
| 88 |
> |
| 89 |
|
| 90 |
You lost me here. It's pretty clear that there will be some more amount |
| 91 |
of "what should my overlay actually be about?" involved. |
| 92 |
|
| 93 |
I'm sure the maintainer of an overlay will know that 5+ overlays use |
| 94 |
packages from it and it will very likely become a joint effort, because |
| 95 |
everyone is interested that the dependencies are ok. |
| 96 |
|
| 97 |
I see a lot of things to figure out (especially PM-side, tools-side, |
| 98 |
maybe even PMS, maybe even repository layout, but also documentation and |
| 99 |
if it makes sense culture-wise), but I don't see a fundamental |
| 100 |
unsolvable problem here. |
Archives