Re: dub: should we make it the de jure package manager for D?

Tue, 08 Oct 2013 03:55:31 -0700 

On 26/09/2013 21:05, Jacob Carlborg wrote:

Are... you... serious?... O_O

There are incredibly important benefits for development-time usage.
To automatically fetch the required dependencies, making sure they are
correct for you application. Easily upgrade the version of dependencies?
Support multiple build configurations (including for example unittest
runners)?




Supporting all the previous functionality in a way that is
replicable across different machines?


It's not, that's another big issue with dub. It doesn't lock the
dependency graph. If you have the packages:

My own package:

{
     "name": "foo",
     "dependencies": {
         "bar": "=0.0.1"
     }
}

Third party package:

{
     "name": "bar",
     "dependencies": {
         "xyz": ">=0.0.1"
     }
}

Another third party package:

{
     "name": "xyz"
}

Say I install package "foo" on a machine. It will install package
"bar-0.0.1" and "xyz-0.0.1" just as it should. Then an hour later I
install the same package, "foo", on a different machine. Then suddenly
it install "xyz-0.0.2". Surprise surprise, it's not the same application
anymore and you have no idea if the application is working or not.

Of course, it's unlikely this will happen within an hour. But try six
months later and you might end up with a completely different application.
From what I understand, for dependency graph locking to work at all, then each package (as stored in the central package repository) would have to specify its full dependency graph in the package specification. So the foo package would have to specify not only the bar dependency, but also xyz=0.0.1 as a dependency. Isn't that how it would work? If so, I think that might be too constricting, and might introducing other kinds of problems and limitations. (what if you know xyz=0.0.2 is safe to use, and want to install foo with that?)
Rather, I think dub should adopt Semantic Versioning as part of its recommended practices for package versioning: 
http://semver.org/spec/v2.0.0.html
In this practice, stuff like "xyz": ">=0.0.1" is not recommended, an upper bound on the version is required, to allow breaking changes in xyz. 


--
Bruno Medeiros - Software Engineer

Reply via email to