Re: [Spam:]Re: “What’s in a package”
Katherine Cox-Buday writes: > As we've seen these past years with COVID-19 and the world's supply > chains, efficiency has some kind of inverse relationship with > robustness. If you go too far down the path of efficiency, you are not > very flexible, and you're building sand castles. That's exactly what I have seen happening in scientific software for a while : https://hal.archives-ouvertes.fr/hal-02117588 > It's for this reason I appreciate having "robust" software underneath > my sand castle. At least I know only so much can crumble :) 100 % agreement! > I want to be careful here in what I suggest. I think it is very > important that Guix remain a bastion of robust software with very high > standards. I don't want to see the PyPi PyTorch packages of the world Me neither. My suggestion was for support in Guix the tool, not Guix the software distribution. People can/should package their sand castles in their private channels. > So with your example: make it really easy to transform that PyPi > package into a terrible Guix primitive of some kind, but don't let me > commit it to Guix proper. I trust our maintainer team to not let this happen. > Maybe interactive software that introspects how a package > is written and behaves at runtime (in a container?) and utilizes the > homoiconicity of scheme to suggest modifications of the package, or > next steps. E.g. expand the linter to suggest things like That sounds interesting! > Speaking of industry, I don't think we leverage software to build software > enough. Definitely not. > And by the way, none of those ideas would be possible if Guix weren't > such a robust and sane ecosystem. Exactly. We can discuss (and more) adding sloppy stuff on top of Guix, but it wouldn't work the other way round. "Jonathan McHugh" writes: > Your focus regarding a transition from exploratory to robust is > important (though may have equal significance in the other > direction?). Not equal as I see it, but yes, it matters as well, for dragging a stable package out int the open again for significant improvements. > Would security experts have (understandable) criteria to prioritise > choices for 'robust corridors' within an ecosystem of sourcefiles and > encapsulated blobs? I'd love to hear from security experts too! Konrad.
Re: [Spam:]Re: “What’s in a package”
Hi Konrad, Similarly I found the post excellent. Your focus regarding a transition from exploratory to robust is important (though may have equal significance in the other direction?). Would security experts have (understandable) criteria to prioritise choices for 'robust corridors' within an ecosystem of sourcefiles and encapsulated blobs? Jonathan McHugh indieterminacy@libre.brussels September 22, 2021 3:32 PM, "Konrad Hinsen" wrote: > Hi Katherine and Ludo, > >> I appreciate this post very much. Setting aside questions of freedom, > > +1 > >> This is perhaps a rehash of the "worse is better"[2] conversation, but >> I often struggle with deciding whether to do things the "fast" way, or >> the "correct" way. I think when your path is clear, the correct way >> will get you farther, faster. But when you're doing experiments, or >> exploratory programming, being bogged down with the "correct" way of >> doing things (i.e. Guix packages) might take a lot of time for no > > Exactly. Most software engineering tools situate themselves somewhere on > the "fast" vs. "robust" scale, and defend their position as the one and > only Good Thing. Guix is at the "robust" end of the scale in the > software management category. And that's what I want for most of the > software I use, i.e. everything I don't hack on myself. Which is why I > like Guix :-) > > What is so far insufficiently supported by computing technology is the > necessary transition from "fast" to "robust". There are a few > exceptions, such as programming language with gradual typing. In most > situations, moving software from exploratory to robust involves a lot of > rewriting, often manually, with no tooling support. > >> Bringing this back to Guix, and maybe the GNU philosophy, it has been >> very helpful for me to be able to leverage the flexibility of Guix to >> occasionally do things the "fast" way, perhaps by packaging a >> binary. Paradoxically, it has allowed me to stay within the Guix and >> free software ecosystem. In my opinion, flexibility is key to growing >> the ecosystem and community, and I would encourage Guix as a project >> to take every opportunity to give the user options. > > +100 :-) > > There is a lot we can improve here. Tutorials would be a good start. > Example: How do you package a binary in Guix? In particular, how do you > deal with binaries that have binary dependencies that they expect in > /lib etc.? A next step would be tool support: Grab whatever PyPI offers, > even if it's only binary wheels, and turn that into a Guix package. > > Another aspect would be supporting software development moving from fast > to robust. Suppose I have software I compile by hand, or via a simple > Makefile, somewhere in my home directory. How do I go from there to (1) > a quick-and-dirty Guix package, then (2) a very basic publishable Guix > package and finally (3) a Guix package with tests and documentation? > The path should be supported by various tools, from automatic rewriting > to debugging. As an example, something I have wished for more than once > is the possibility to run the individual build steps of a Guix package > under my own account in my home directory, for debugging purposes. > > Konrad > -- > - > Konrad Hinsen > Centre de Biophysique Moléculaire, CNRS Orléans > Synchrotron Soleil - Division Expériences > Saint Aubin - BP 48 > 91192 Gif sur Yvette Cedex, France > Tel. +33-1 69 35 97 15 > E-Mail: konrad DOT hinsen AT cnrs DOT fr > http://dirac.cnrs-orleans.fr/~hinsen > ORCID: https://orcid.org/-0003-0330-9428 > Twitter: @khinsen > -
Re: [Spam:]Re: “What’s in a package”
Konrad Hinsen writes: > What is so far insufficiently supported by computing technology is the > necessary transition from "fast" to "robust". This is really a large problem in the industry. Especially since in most circles moving fast is considered the preferred way to do things. SaaS and abstractions are endemic, and while helpful to get things going, it can lead to precarious systems with interdependencies and risks that are not fully understood or appreciated. The "fast" path does allow people to test out new ideas very quickly, but there is a hidden cost. As we've seen these past years with COVID-19 and the world's supply chains, efficiency has some kind of inverse relationship with robustness. If you go too far down the path of efficiency, you are not very flexible, and you're building sand castles. It's for this reason I appreciate having "robust" software underneath my sand castle. At least I know only so much can crumble :) > There are a few exceptions, such as programming language with gradual typing. > In most situations, moving software from exploratory to robust involves a lot > of rewriting, often manually, with no tooling support. I really like this framing. How can we support every step of the continuum with a gentle pull towards robustness? That sounds like something to strive for. >> Bringing this back to Guix, and maybe the GNU philosophy, it has been >> very helpful for me to be able to leverage the flexibility of Guix to >> occasionally do things the "fast" way, perhaps by packaging a >> binary. Paradoxically, it has allowed me to stay within the Guix and >> free software ecosystem. In my opinion, flexibility is key to growing >> the ecosystem and community, and I would encourage Guix as a project >> to take every opportunity to give the user options. > > +100 :-) > > There is a lot we can improve here. Tutorials would be a good start. > Example: How do you package a binary in Guix? In particular, how do you > deal with binaries that have binary dependencies that they expect in > /lib etc.? A next step would be tool support: Grab whatever PyPI offers, > even if it's only binary wheels, and turn that into a Guix package. I want to be careful here in what I suggest. I think it is very important that Guix remain a bastion of robust software with very high standards. I don't want to see the PyPi PyTorch packages of the world in Guix. I /do/ want to see tooling in Guix that allows users to package and utilize these things as first-class primitives in the Guix world. In other words, let me create beautiful and terrible things, but don't let me unleash them on the world. So with your example: make it really easy to transform that PyPi package into a terrible Guix primitive of some kind, but don't let me commit it to Guix proper. > Another aspect would be supporting software development moving from fast > to robust. Suppose I have software I compile by hand, or via a simple > Makefile, somewhere in my home directory. How do I go from there to (1) > a quick-and-dirty Guix package, then (2) a very basic publishable Guix > package and finally (3) a Guix package with tests and documentation? > The path should be supported by various tools, from automatic rewriting > to debugging. As an example, something I have wished for more than once > is the possibility to run the individual build steps of a Guix package > under my own account in my home directory, for debugging purposes. This kind of stuff really excites me. If we could build tooling that somehow moves things along the continuum, that would really be something. Maybe interactive software that introspects how a package is written and behaves at runtime (in a container?) and utilizes the homoiconicity of scheme to suggest modifications of the package, or next steps. E.g. expand the linter to suggest things like documentation, or to identify at what point on the continuum the package might currently be, and how to move forward. Does the package vendor binaries? Does Guix have any packages that look like those binaries? What does the packages binaries want to link to? What paths does it try and access when run? Speaking of industry, I don't think we leverage software to build software enough. And by the way, none of those ideas would be possible if Guix weren't such a robust and sane ecosystem. -- Katherine
Re: [Spam:]Re: “What’s in a package”
Hi Katherine and Ludo, > I appreciate this post very much. Setting aside questions of freedom, +1 > This is perhaps a rehash of the "worse is better"[2] conversation, but > I often struggle with deciding whether to do things the "fast" way, or > the "correct" way. I think when your path is clear, the correct way > will get you farther, faster. But when you're doing experiments, or > exploratory programming, being bogged down with the "correct" way of > doing things (i.e. Guix packages) might take a lot of time for no Exactly. Most software engineering tools situate themselves somewhere on the "fast" vs. "robust" scale, and defend their position as the one and only Good Thing. Guix is at the "robust" end of the scale in the software management category. And that's what I want for most of the software I use, i.e. everything I don't hack on myself. Which is why I like Guix :-) What is so far insufficiently supported by computing technology is the necessary transition from "fast" to "robust". There are a few exceptions, such as programming language with gradual typing. In most situations, moving software from exploratory to robust involves a lot of rewriting, often manually, with no tooling support. > Bringing this back to Guix, and maybe the GNU philosophy, it has been > very helpful for me to be able to leverage the flexibility of Guix to > occasionally do things the "fast" way, perhaps by packaging a > binary. Paradoxically, it has allowed me to stay within the Guix and > free software ecosystem. In my opinion, flexibility is key to growing > the ecosystem and community, and I would encourage Guix as a project > to take every opportunity to give the user options. +100 :-) There is a lot we can improve here. Tutorials would be a good start. Example: How do you package a binary in Guix? In particular, how do you deal with binaries that have binary dependencies that they expect in /lib etc.? A next step would be tool support: Grab whatever PyPI offers, even if it's only binary wheels, and turn that into a Guix package. Another aspect would be supporting software development moving from fast to robust. Suppose I have software I compile by hand, or via a simple Makefile, somewhere in my home directory. How do I go from there to (1) a quick-and-dirty Guix package, then (2) a very basic publishable Guix package and finally (3) a Guix package with tests and documentation? The path should be supported by various tools, from automatic rewriting to debugging. As an example, something I have wished for more than once is the possibility to run the individual build steps of a Guix package under my own account in my home directory, for debugging purposes. Konrad -- - Konrad Hinsen Centre de Biophysique Moléculaire, CNRS Orléans Synchrotron Soleil - Division Expériences Saint Aubin - BP 48 91192 Gif sur Yvette Cedex, France Tel. +33-1 69 35 97 15 E-Mail: konrad DOT hinsen AT cnrs DOT fr http://dirac.cnrs-orleans.fr/~hinsen/ ORCID: https://orcid.org/-0003-0330-9428 Twitter: @khinsen -