Conversation

Notices

1. Embed this notice
   Hailey (hailey@hails.org)'s status on Sunday, 01-Sep-2024 02:17:18 JST Hailey

   I am a big fan of rust and think it's a natural fit for linux into the future. What isn't a natural fit is the npm tier dependency sprawl situation.

   I really do think we need to listen to what distro maintainers are telling us, because they are the ones who understand how the rubber hits the road when it comes to maintaining and supporting software long term.

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Hailey (hailey@hails.org)'s status on Sunday, 01-Sep-2024 02:18:01 JST Hailey

     in reply to

     a good place to start is with all the 0.x crates which are effectively stable but haven't yet gone 1.0 and made the commitment to stability.

     as a result everyone pins a different 0.x version and it's an enormous headache for distro maintainers who would prefer to package a minimal set of versions - ideally a single version - to ease maintenance including security updates for as long as they are supporting a release.

     it's a sign of immaturity imo that it's such a widespread view in the community to see this as an outmoded, old school way of doing things that needlessly impedes dev velocity.

     Haelwenn /элвэн/ :triskell: likes this.
     Haelwenn /элвэн/ :triskell: repeated this.
   • Embed this notice
     Hailey (hailey@hails.org)'s status on Sunday, 01-Sep-2024 02:18:20 JST Hailey

     in reply to

     this is often framed as a static vs dynamic linking argument, but that's a red herring. it's actually about maintenance and support. distro maintainers need to be able to bump a dependency in an emergency - regardless of linking strategy. having fewer versions on deck that you have to support makes this a lot easier.

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 01-Sep-2024 02:35:34 JST Haelwenn /элвэн/ :triskell:

     in reply to
     @hailey In fact Rust in Linux is about the only one I could reasonably see using as the dependency management should be very different.
     
     While userspace Rust is a non-starter for me as it's dependency-management is too broken by design to do security bumps. The added memory+race-safety of Safe Rust doesn't means the other security issues don't happen, specially when libraries also contains Unsafe Rust, C, C++, Assembly, …
     And personally I'd rather have occasionally security issues trivially fixed in few hours than ones where it would take days at best but more likely never when lockfile-style packaging is involved.
   • Embed this notice
     vv221 (vv221@fediverse.dotslashplay.it)'s status on Sunday, 01-Sep-2024 02:57:23 JST vv221

     in reply to
     I've been told to not bother maintaining a debian/ because the first step in Debian is to rm -rf it
     What you’ve been told is right. While it could be surprising at first, it’s because the Debian policy is that the packaging should be done by the distribution maintainers, not the upstream developers.
     
     So you as an upstream developer should not have to spend time on that, all that is expected from upstream is stable releases and a sane dependencies policies. It’s the job of the distribution to then turn that into a neat package.
     
     Of course it can happen that the upstream developer is at the same time the distribution maintainer (it’s my case for the software I develop and its packaging into Debian). But it’s still two distinct roles that should ideally not be mixed together. Different skills and mindsets are required for both tasks.
     
     CC: @hailey@hails.org
     
     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Sunday, 01-Sep-2024 02:57:24 JST ✧✦Catherine✦✧

     in reply to

     @hailey the biggest counterargument to the distro mode of software delivery that I know is that it's not uncommon for distro maintainers to just break packages, or to be hostile to upstream efforts--I've been told to not bother maintaining a debian/ because the first step in Debian is to `rm -rf` it

     since if they break it, it's on me to fix it, why would I want them to package it?