~sircmpwn/public-inbox

4 3

Package managemet vs dependency management

Details
Message ID
<20211117134900.67612d8e450beb2ccfbe27ff@disroot.org>
DKIM signature
pass
Download raw message
Avid reader of drewdevault.com here. There've been a couple of articles
advancing the idea that language-specific package managers are harmful
and distribution package managers should be used instead:

https://drewdevault.com/2019/12/09/Developers-shouldnt-distribute.html
https://drewdevault.com/2021/09/27/Let-distros-do-their-job.html
https://drewdevault.com/2021/11/16/Python-stop-screwing-distros-over.html

And these posts have made good points and have convinced that
distribution-agnostic package managers like Flatpak are harmful.
But I think it's a mistake to conflate PyPI and npm with those,
because: **pip and npm aren't *package* managers, they're
*dependency* managers**. They have a different use case. An
end-user who doesn't program should never have to use pip or npm.
End-users are interested in applications, which should be provided
by distribution package managers, but developers are interested
in dependencies.

The number of libraries out there for applications to depend on is too
vast for any distribution to package them all, and even if they tried,
the amount of work required for them to keep all their packaged
libraries up to date would be insane. You'd constantly be forced to
keep using old versions of dependencies because your distribution hasn't
updated them, or you wouldn't be able to build anything on a less
popular distribution that doesn't have all that stuff packaged.

Unlike applications, libraries don't generally have files that need to
be installed into various folders like /usr/share or /usr/lib or
/usr/bin. They just need their source code, or a built object file, or
some high-level language's language-specific version of those, to be in
some folder like vendor/ or lib/ in your project root to be used during
the build.

Thus, Flatpak and Snap and Homebrew or whatever can die, and yes having
multiple competing build systems for the same language sucks (one of my
main frustrations with C btw), but please spare pip and npm and go build
and cargo.

You have another page where you hate on dynamic linking (and I agree
with that hate). In a world without dynamic linking this distinction
would be a lot more obvious because you wouldn't find dependencies
like libthis and libthat in the distribution package manager.
Details
Message ID
<CAL0kPAWseakULvhYY0MT2CKoFp7OLWoRBzPK+oNWQTJxvK1EMw@mail.gmail.com>
In-Reply-To
<20211117134900.67612d8e450beb2ccfbe27ff@disroot.org> (view parent)
DKIM signature
pass
Download raw message
On Fri, Nov 19, 2021 at 11:50 AM Yujiri <yujiri@disroot.org> wrote:
> An
> end-user who doesn't program should never have to use pip or npm.

That is absolutely true, in theory. In practice, however, they have no choice.
There is no possible way for me to make packages for all Linux distros.
In fact, every time I've tried to look into how to make them, I've failed.
Making a RPM or a DEB is an obtuse and arcane form of magic. And
how would I go about making one for the infinite amount of Linux distros
that exist? I haven't got a clue.

And that's not even mentioning Windows.

Thus, anyone interested in using my software has to use pip to install it,
even when they aren't expected to develop with it.

On Fri, Nov 19, 2021 at 11:50 AM Yujiri <yujiri@disroot.org> wrote:
>
> Avid reader of drewdevault.com here. There've been a couple of articles
> advancing the idea that language-specific package managers are harmful
> and distribution package managers should be used instead:
>
> https://drewdevault.com/2019/12/09/Developers-shouldnt-distribute.html
> https://drewdevault.com/2021/09/27/Let-distros-do-their-job.html
> https://drewdevault.com/2021/11/16/Python-stop-screwing-distros-over.html
>
> And these posts have made good points and have convinced that
> distribution-agnostic package managers like Flatpak are harmful.
> But I think it's a mistake to conflate PyPI and npm with those,
> because: **pip and npm aren't *package* managers, they're
> *dependency* managers**. They have a different use case. An
> end-user who doesn't program should never have to use pip or npm.
> End-users are interested in applications, which should be provided
> by distribution package managers, but developers are interested
> in dependencies.
>
> The number of libraries out there for applications to depend on is too
> vast for any distribution to package them all, and even if they tried,
> the amount of work required for them to keep all their packaged
> libraries up to date would be insane. You'd constantly be forced to
> keep using old versions of dependencies because your distribution hasn't
> updated them, or you wouldn't be able to build anything on a less
> popular distribution that doesn't have all that stuff packaged.
>
> Unlike applications, libraries don't generally have files that need to
> be installed into various folders like /usr/share or /usr/lib or
> /usr/bin. They just need their source code, or a built object file, or
> some high-level language's language-specific version of those, to be in
> some folder like vendor/ or lib/ in your project root to be used during
> the build.
>
> Thus, Flatpak and Snap and Homebrew or whatever can die, and yes having
> multiple competing build systems for the same language sucks (one of my
> main frustrations with C btw), but please spare pip and npm and go build
> and cargo.
>
> You have another page where you hate on dynamic linking (and I agree
> with that hate). In a world without dynamic linking this distinction
> would be a lot more obvious because you wouldn't find dependencies
> like libthis and libthat in the distribution package manager.
Details
Message ID
<uRsLy_FNloBROBANVL7N3rUBXbksH9tWgjEwGy6WM7lAMR7ka6rw8lZYqyeq-Qh_xff8yyJbDXawWLjNdIDAhVcztXB4azQUx7bpG1OHGmk=@emersion.fr>
In-Reply-To
<CAL0kPAWseakULvhYY0MT2CKoFp7OLWoRBzPK+oNWQTJxvK1EMw@mail.gmail.com> (view parent)
DKIM signature
pass
Download raw message
On Friday, November 19th, 2021 at 13:28, Lennart Regebro <regebro@gmail.com> wrote:

> That is absolutely true, in theory. In practice, however, they have no choice.
> There is no possible way for me to make packages for all Linux distros.
> In fact, every time I've tried to look into how to make them, I've failed.
> Making a RPM or a DEB is an obtuse and arcane form of magic. And
> how would I go about making one for the infinite amount of Linux distros
> that exist? I haven't got a clue.

There's a very simple answer to this: do not try to package your own software.
This is a task for the distribution developers, not for you. As your software
gets adopted by more users, distributions will naturally pick it up, without
any action on your end.

Read the links Yujiri mentioned in the parent post for more info, it doesn't
seem like you're familiar with them.
Details
Message ID
<20211119175945.c7777e65c3d59b001c278b96@disroot.org>
In-Reply-To
<20211117134900.67612d8e450beb2ccfbe27ff@disroot.org> (view parent)
DKIM signature
pass
Download raw message
On Fri, Nov 21, 2021 at 10:55 AM Lennart Regebro <regebro@gmail.com> wrote:

> On Fri, Nov 19, 2021 at 11:50 AM Yujiri <yujiri@disroot.org> wrote:
>> An
>> end-user who doesn't program should never have to use pip or npm.

> That is absolutely true, in theory. In practice, however, they have no choice.
> There is no possible way for me to make packages for all Linux distros.
> In fact, every time I've tried to look into how to make them, I've failed.
> Making a RPM or a DEB is an obtuse and arcane form of magic. And
> how would I go about making one for the infinite amount of Linux distros
> that exist? I haven't got a clue.

> And that's not even mentioning Windows.

> Thus, anyone interested in using my software has to use pip to install it,
> even when they aren't expected to develop with it.

Drew has another article where he argues that packaging for distributions is not the responsibility of the application developer, in fact it was the one linked as "Further reading" on the recent Python rant: https://drewdevault.com/2021/09/27/Let-distros-do-their-job.html

> One thing you shouldn't do is go around asking distros to add your program to their repos. Once you ship your tarballs, your job is done. It's the users who will go to their distro and ask for a new package. And users - do this! If you find yourself wanting to use some cool software which isn't in your distro, go ask for it, or better yet, package it up yourself. For many packages, this is as simple as copying and pasting a similar package (let's hope they followed my advice about using an industry-standard build system), making some tweaks, and building it.

What do you think of this point?
Details
Message ID
<CAL0kPAVozteM81QNCpyk_0ziPVkzFrQooMbPh12Gp_qJR7y4ng@mail.gmail.com>
In-Reply-To
<20211119175945.c7777e65c3d59b001c278b96@disroot.org> (view parent)
DKIM signature
pass
Download raw message
On Mon, Nov 22, 2021 at 2:02 PM Yujiri <yujiri@disroot.org> wrote:
> Drew has another article where he argues that packaging for distributions is not the responsibility of the application developer, in fact it was the one linked as "Further reading" on the recent Python rant: https://drewdevault.com/2021/09/27/Let-distros-do-their-job.html
>
> What do you think of this point?

It's a good point. But that also means there must be non-distro ways
of distributing packages. Which is what he complained about in the
post about Python packaging. Software needs to be distributed.
Reply to thread Export thread (mbox)