Matthew Miller wrote:
> I fundamentally disagree with Kevin on a deep level about "entirely
> useless", but ... find myself kind of agreeing about the "unpackagable"
> part. I mean: clearly we've found a way, but I'm really not sure we're
> providing a lot of _value_ in this approach, and I'm also not sure it's as
> successful as it could be.

We cannot ship what we cannot package. (Just repackaging upstream blobs is a 
no-go, it is explicitly banned by Fedora Packaging Guidelines for good 
reasons.)

> I'll start with the second: our system for Rust doesn't really do that.
> Developers are going to use cargo and crates.io and we're not going to
> convince them that they should do otherwise. (I don't expect anyone
> disagrees with this.)

That is one of the issues (along with lack of proper shared library support) 
that makes Rust such a painful language: it makes it way too easy for 
developers to just add a dependency on some random unpackaged (by 
distributions) library with some random license and with random transitive 
dependencies.

In a reasonable programming language, you have to think twice before you add 
yet another dependency to your project. Tools like cargo make it way too 
easy, just add a line and rebuild. So then you end up with a mess like this:

> But running `cargo fetch` with a clean cache pulls down *390* crates.

390 dependencies is absolutely insane! No project should ever depend on so 
many libraries. This is completely unmaintainable.

> *This is what open source winning looks like.*
> 
> I remember a Byte magazine article from the 1990 (I just checked!) with
> the title "There Is a Silver Bullet: The birth of interchangeable,
> reusable software components will bring software into the information
> age". [1] This was about the newly-hot idea of Object Oriented
> Programming. It was very exciting. But, of course, that vision of the
> world did not happen. It turns out proprietary software *can't* do this.
> 
> But now we have it! I don't have to reinvent every basic wheel — but even
> more than that, I do not have to be an expert in the intricacies of safe
> concurrency to write an app that uses that under the hood. That's amazing!
> I can do such powerful things from high-level interfaces and trust the
> expertise of those who really understand the deep computer science some of
> this requires.

Code reuse is great when it makes sense, but this "NPM culture" where 
developers happily depend on tons of packages containing trivial one-line 
functions is completely insane.

If this is now the essence of "Open Source", then it will ultimately lose. 
Proprietary software companies will just be waiting for the next paradigm 
shift to lock us into their proprietary ecosystem again. For a large part, 
this has already happened with smartphones: you get to choose only between 
the Android walled garden (with an open core and lots of proprietary Google 
services and (Google and third-party) apps on top) and the iOS walled garden 
(which is completely proprietary and closed, even strictly enforcing an App 
Store monopoly). We are struggling to escape from that with devices like the 
PinePhone. But with development practices relying on an unmaintainable 
dependency hell, it will never happen.

> I am competent enough to write a silly toy game using Bevy. It might be
> good enough that others will enjoy it. *I am not competent to maintain
> many of these dependencies.* I don't even know what most of them DO.
> "anyhow"? "bytemuck"?

Welcome to dependency hell!

> Worse, many of the Bevy deps are specified with exact versions. Maybe I
> could make the package work with the packaged versions, but ... that
> requires deep expertise and even then might lead to unexpected behavior
> and has a high chance of putting me at odds with both the engine upstream
> and any other games which use it. The packaging guidelines say that I
> SHOULD create patches to update to latest versions of dependencies, and
> that I should further convince the upstream to take them. Candidly, that
> seems like a waste of everone's time.

Hardcoding exact versions of dependencies is one of the worst misfeatures of 
those language-specific build tools. It effectively prevents you from fixing 
security issues without patching every single application. And of course it 
can cause version conflicts between different applications or even between 
transitive dependencies within an application. (And, while the former ones 
can typically be resolved by shipping both versions of the library, the 
latter ones cannot, because you cannot usually link two versions of the same 
library into the same program.)

> So, going back to Kevin's point: it _does_ feel like this is unpackagable.
> But that's because the barrier to participation seems too high.

No, the answer to upstream shipping an unpackageable mess cannot possibly be 
to make it easier to smuggle unpackageable messes into Fedora!

> It's not because it's statically-linked binaries [2] can't or shouldn't
> exist in Fedora — that's not one of our core principles!

It is actually one of our Packaging Guidelines that static linking is 
discouraged:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#packaging-static-libraries
as is bundling libraries:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling

(So they can indeed exist, but they definitely SHOULD NOT, the Guidelines 
undisputably say so.)

> In fact and quite to the contrary, we need to adapt to handle this amazing
> open source success story better.

I fail to see a success story here. I see a failure story. Dependency hell 
is not a success.

> And, I led with: I appreciate all the work you've all done to make this
> work. That's definitely true — I think it was super-valuable to pilot this
> approach. But I think that the Rust ecosystem would be a great place to
> pilot a different way. Something lightweight where we cache crates and use
> them _directly_ in the build process for _application_ RPMs.

Fabio has already explained very well why that is a horrible idea.

> Fedora _needs_ to adapt to stay relevant in the world where every language
> stack has developed a packaging ecosystem which effectively ignores us.
> Some of them are missing lessons they could have learned, ah well — but
> they also have a lot of nice new ideas we're missing. And, no matter what
> we think, we're clearly not going to stop them.

Rust needs to adapt to become relevant in GNU/Linux distributions.

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to