1 |
On 11/20/2014 04:03 AM, Rich Freeman wrote: |
2 |
> On Wed, Nov 19, 2014 at 7:36 PM, hasufell <hasufell@g.o> wrote: |
3 |
>> |
4 |
>> But keep in mind that the core is supposed to shrink with this idea of a |
5 |
>> distributed model! So it would be less work to actually roll/tag |
6 |
>> releases than it would be right now (or even do that stuff in branches). |
7 |
> |
8 |
> This doesn't really make the issue go away. Are all dependencies |
9 |
> going to have to stay in the core? |
10 |
|
11 |
no, why? |
12 |
|
13 |
> That is a lot of packages, and |
14 |
> we'll need lots of controls so that updates to those dependencies |
15 |
> don't break all of these distributed repos whose existence we may not |
16 |
> even be aware of. |
17 |
> |
18 |
|
19 |
You are exaggerating, imo. We already have these breakages in the tree, |
20 |
because a lot of teams do not communicate, including security bug fixes |
21 |
on libraries that break 20+ packages of a different subsystem (including |
22 |
stable packages, multiple times). |
23 |
Also, no one tests all reverse deps when bumping a package in ~arch. |
24 |
|
25 |
Whether these packages live in one repository or several almost doesn't |
26 |
make any difference, as long as there is communication. |
27 |
|
28 |
It took me 5 minutes to communicate that libsdl2 is not going to be |
29 |
slotted in the tree to all major overlays that had libsdl:2 packaged. |
30 |
They fixed it within 30minutes. That's ~50 times faster than what I |
31 |
expect in the tree. |
32 |
|
33 |
It's not really an issue to have communication channels and a community |
34 |
infrastructure for those things. |
35 |
|
36 |
Sure, these things sound scary if you imagine overlays with 10+ overlay |
37 |
dependencies. |
38 |
But first of all, you don't really depend on an overlay just because you |
39 |
need a few packages from it. If it matters where that package actually |
40 |
comes from, then there is either something wrong with your own package |
41 |
(e.g. because it requires a hacked version of a lib) or something is |
42 |
wrong with the list of high-quality overlays, because some of them ship |
43 |
broken/hacked libraries. |
44 |
|
45 |
It's up to the PM to give suggestions on possible dependencies/overlays |
46 |
that contain the missing package. (that's what paludis already does) |
47 |
|
48 |
> Or, maybe we allow the dependencies to be in the overlays. Now we |
49 |
> have the issue that there might be 5 different editions of that |
50 |
> floating around, and different packages depend on different ones, but |
51 |
> they're not intended to co-exist. Oh, and you still have the problem |
52 |
> that if the dependency changes it could break anything that uses it. |
53 |
> |
54 |
|
55 |
It's debatable whether that is an actual technical problem to be solved |
56 |
or just a reason to mark that overlay low quality. |
57 |
|
58 |
> |
59 |
>> |
60 |
>> Exherbo is already running a more modular approach, I'd be interested |
61 |
>> what they have to say about this or which problems they were facing. |
62 |
>> I'll probably also dig a bit deeper into NixOS and see what tools they |
63 |
>> use for creating NixOS based distros. |
64 |
>> |
65 |
> |
66 |
> I'm not sure how Exherbo is doing things, I'm certainly interested in |
67 |
> their comments. |
68 |
> From what I've read about Nix, it basically installs |
69 |
> every package-version into its own directory tree, so if zlib is in 75 |
70 |
> different repositories, and has 2 SONAMEs in use, then you'll have up |
71 |
> to 150 copies of it installed on your system each in its own directory |
72 |
> tree, assuming you have 150 packages each using a different fork of |
73 |
> it. I'll optimistically assume that only half of them contain |
74 |
> security issues. :) |
75 |
> |
76 |
> That is my issue with some of these more devops-oriented approaches |
77 |
> that try to bypass the centralized distro. They make things really |
78 |
> easy for developers, but they seem almost impossible to control from a |
79 |
> patching/security/integration standpoint. People have brought up |
80 |
> things like Android and iOS and their framework model as a solution, |
81 |
> but all the examples of this I've seen are all focused on the |
82 |
> presentation layer alone. It is great for a mobile app that doesn't |
83 |
> do anything but open sockets back to a server and display widgets. If |
84 |
> you're actually building the part of an application that does the real |
85 |
> logic/work, then suddenly you find yourself caring about a lot more |
86 |
> than list controls. Good luck finding a framework that includes |
87 |
> everything in /usr/portage/*-libs |
88 |
> |
89 |
|
90 |
You lost me here. It's pretty clear that there will be some more amount |
91 |
of "what should my overlay actually be about?" involved. |
92 |
|
93 |
I'm sure the maintainer of an overlay will know that 5+ overlays use |
94 |
packages from it and it will very likely become a joint effort, because |
95 |
everyone is interested that the dependencies are ok. |
96 |
|
97 |
I see a lot of things to figure out (especially PM-side, tools-side, |
98 |
maybe even PMS, maybe even repository layout, but also documentation and |
99 |
if it makes sense culture-wise), but I don't see a fundamental |
100 |
unsolvable problem here. |