Are npm/crates.io just a different approach to distributing software, compared to Linux distros?
Or is there something more fundamental about their approach, how it affects user/developer relations, and how if affects user autonomy?
Conversation
Notices
-
Embed this notice
Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 16-Dec-2024 21:09:38 JST 
Ludovic Courtès
- alcinnz repeated this.
-
Embed this notice
Jonathan Nogueira (jnogueira@fosstodon.org)'s status on Monday, 16-Dec-2024 22:02:34 JST 
Jonathan Nogueira
@civodul npm helped build the semver standardization into people's brains.
Between semver versioning being "wanted" packages and lockfiles, it made it super easy to kind of make certain guarantees about your dependency tree, even when that dependency was maintained by a third party.
That dependency pinning is so hard in guix is actually something that is a neverending headache for me and package management, personally.
-
Embed this notice
Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 16-Dec-2024 22:02:34 JST
Ludovic Courtès
@JNogueira You’re speaking as a developer, right?
Can you clarify what you mean when you say dependency pinning is hard in Guix? (I can see things that are definitely hard but I’m not sure we’re talking about the same things.)
-
Embed this notice
Hisham (hisham_hm@mastodon.social)'s status on Monday, 16-Dec-2024 23:00:13 JST 
Hisham
@civodul 2) language package managers cut the "middleman" and allow module/library devs to make them available to other devs right away, without someone like a Debian developer having to deem them relevant/ready enough for packaging.
The fact that there is no curation is a feature for language package managers, just like the fact that there is curation is a feature for system package managers.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Monday, 16-Dec-2024 23:00:13 JST 
Rich Felker
@hisham_hm @civodul This "middle man" being cut out is the most important role for user safety and making publishers think twice about tramping on the user's wishes like they do on Windows, Android, iOS, etc. Trying to eliminate it is highly misguided and user-hostile.
-
Embed this notice
Hisham (hisham_hm@mastodon.social)'s status on Monday, 16-Dec-2024 23:00:14 JST
Hisham
@civodul I don't know through which lens you're looking into this, but to me there are two fundamental differences:
1) npm/crates.io/LuaRocks (language package managers) are PMs _for programmers_. They ship primarily modules/libraries; apt/rpm/etc (system PMs) are PMs for _end-users_. I don't expect a non-programmer to ever use cargo but I expect a Ubuntu user to use apt (even if via a GUI).
-
Embed this notice
Jonathan Nogueira (jnogueira@fosstodon.org)'s status on Monday, 16-Dec-2024 23:03:34 JST
Jonathan Nogueira
As a developer in rust, javascript, and a maintainer of a personal guix channel, yes.
Main thing is that if you have dependencies for packages that aren't things you actively maintain in your own channel (in my case the gnu packages mainline) there's not really an effective way to pin a dependent channel's packages without it causing some cascade of errors. (1/3)
-
Embed this notice
Jonathan Nogueira (jnogueira@fosstodon.org)'s status on Monday, 16-Dec-2024 23:03:34 JST
Jonathan Nogueira
channel dependencies don't seem to be built to handle pinning the dependent channel to a specific commit, and nor could I get inferiors to work as package inputs without either of them causing a bunch of ABI errors. (2/3)
-
Embed this notice
Jonathan Nogueira (jnogueira@fosstodon.org)'s status on Monday, 16-Dec-2024 23:03:34 JST
Jonathan Nogueira
I admit I'm still very much new to guile and guix but my attempts at stabilizing my channel so I don't have to fix it every time I `guix pull` has been a bit of a nightmare.
Compare to npm or cargo's lockfiles which guarantee the dependency will always stay the same no matter if any other dependencies or cargo changes (3/3)
-
Embed this notice
Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 16-Dec-2024 23:03:34 JST
Ludovic Courtès
@JNogueira Interesting. Usually, channel pinning is a user choice:
https://guix.gnu.org/manual/devel/en/html_node/Replicating-Guix.htmlChannel authors can also pin dependencies in their own channels (in ‘.guix-channel’) but that’s not a common use case AFAIK.
-
Embed this notice
Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 16-Dec-2024 23:06:05 JST
Ludovic Courtès
@hisham_hm I agree that these are PMs for programmers (and they’re doing a great job at it).
In that case, what’s the story for users?
You write that a non-programmer is not expected to run cargo; but then, how does one install a Rust app? Via Ubuntu & other distros, but then how are distro developers supposed to package that?
-
Embed this notice
Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 16-Dec-2024 23:07:03 JST
Ludovic Courtès
@hisham_hm (In case it’s not clear I’m looking at it from the perspective of a traditional distro developer *and* user.)
-
Embed this notice
Pjotr Prins (pjotrprins@mastodon.social)'s status on Tuesday, 17-Dec-2024 00:57:35 JST 
Pjotr Prins
@civodul Developer convenience is what I hear most. Quickly breaks down when you want to combine things outside the language ecosystem.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Biason::Julio::new(); (juliobiason@functional.cafe)'s status on Tuesday, 17-Dec-2024 01:47:03 JST 
Biason::Julio::new();
@hisham_hm @civodul
(puts Diogenes beard):
"Docker." -
Embed this notice
Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Tuesday, 17-Dec-2024 02:52:07 JST
Ludovic Courtès
@octorine I should say that tools like Nix and Guix specifically try to accommodate both the developer needs (pinned versions) and the user needs (latest versions).
Cargo explicitly caters only to developer needs.
-
Embed this notice
Octorine (octorine@fosstodon.org)'s status on Tuesday, 17-Dec-2024 02:52:08 JST 
Octorine
@civodul One difference is tempo. Os packages update a few times a year. A crate in crates.io updates whenever a new version comes out.
User behavior is different. As a user I almost always want the latest os package. As a dev, I usually want the version I developed and tested with, and may upgrade later if I have time.
-
Embed this notice
Hisham (hisham_hm@mastodon.social)'s status on Tuesday, 17-Dec-2024 07:49:23 JST
Hisham
@juliobiason @civodul The success of Docker is the developer world's tacit acknowledgement that package management has failed.
(For anyone else reading my tongue-in-cheek comment without context: be aware that I have authored two package managers, both in the language side and distro side of the game. If you're offended by my remark above, just s/has failed/is hard/, but my point still stands.)
-
Embed this notice
Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Tuesday, 17-Dec-2024 07:49:23 JST
Ludovic Courtès
@hisham_hm @juliobiason The success of Docker is also a sign that language-specific package managers are only for developers; that they leave users aside.
You mentioned that LPM improve developer autonomy, which is true (as if developer autonomy was at risk).
What I feel, and the reason I’m glad we have this discussion, is that it does so at the expense of user autonomy. “Grab that Docker image if you want to run my code” is a symptom of that.
Haelwenn /элвэн/ :triskell: likes this.
All GNU social JP content and data are available under the