Re: summer of code ideas

guile-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: summer of code ideas

From:	Mark H Weaver
Subject:	Re: summer of code ideas
Date:	Mon, 07 Mar 2011 20:10:01 -0500
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)

"Jose A. Ortega Ruiz" <address@hidden> writes:
>>    (use-modules (url://a-url.com library module #:optional a-rev-number))
>
> FWIW, i think this is a bad idea.  It intermingles two concerns that are
> othogonal, namely installing a package and using it.

I very strongly agree with jao.  Systems like this, e.g. Python Eggs,
have been a major headache for distributions to deal with.  Debian
actually takes the time to disable this automatic downloading and
installing functionality from their Python packages, and I'm glad for
it.  I am very security conscious, and the thought of software being
automatically installed "on-demand" from untrusted sources when I run a
program, or maybe even when I first use some particular functionality of
that program, is very disconcerting.

Maybe not everyone wants this, but as a Debian and gNewSense user, I
want my distribution to be an intermediary for most of the software I
use.  I trust them more than I trust most upstreams to ensure that the
software has been somewhat vetted for license issues, security problems,
anti-features, etc.  I want my distribution to be able to modify the
packages as necessary to make them work well together and with the rest
of the system.  I also want experimental distributions to be able to
make significant changes to packages to fit within their new ideas of
how the system should be set up.

Furthermore, there are many thorny issues involved with package
management that are very hard to get right, and most of the new crop of
language-specific package systems like this are half-baked at best.

For example, how do you ensure security?  Debian has a reasonably well
thought out system for using digital signatures for this.  How will we
handle it?

Also, how will we handle versioning?  It is very hard to do this
properly.  Sometimes you want the cutting-edge version of something, and
sometimes you want stability.  It is not enough to simply designate a
stable version of each individual package.  A stable system requires
that all the individual pieces have been tested together as a whole, as
is done in Debian and other distros.  How will we handle it?

I don't mean to be a wet blanket, because I can certainly see the appeal
of a system like this, but let's please be careful not to repeat the
many mistakes that other similar systems have made.  It is a very thorny
problem.

    Regards,
      Mark

[Prev in Thread]

Current Thread

[Next in Thread]

Re: summer of code ideas, (continued)
- CPAN for Guile, Andreas Rottmann, 2011/03/07
  - Re: CPAN for Guile, Andy Wingo, 2011/03/07
    - Re: CPAN for Guile, Andreas Rottmann, 2011/03/28
- Re: summer of code ideas, Noah Lavine, 2011/03/07
  - Re: summer of code ideas, Andy Wingo, 2011/03/07
    - Re: summer of code ideas, Ludovic Courtès, 2011/03/07
- Re: summer of code ideas, Mike Gran, 2011/03/07
  - Re: summer of code ideas, Jose A. Ortega Ruiz, 2011/03/07
    - Re: summer of code ideas, Mark H Weaver <=
- Re: summer of code ideas, Mike Gran, 2011/03/07

Prev by Date: Re: [PATCH] Several tweaks for R6RS ports
Next by Date: Re: summer of code ideas
Previous by thread: Re: summer of code ideas
Next by thread: Re: summer of code ideas
Index(es):
- Date
- Thread