dub: should we make it the de jure package manager for D?

Bruno Medeiros brunodomedeiros+dng at gmail.com
Tue Oct 8 03:51:27 PDT 2013


On 26/09/2013 21:05, Jacob Carlborg wrote:
>> Are... you... serious?... O_O
>>
>> There are incredibly important benefits for development-time usage.
>> To automatically fetch the required dependencies, making sure they are
>> correct for you application. Easily upgrade the version of dependencies?
>> Support multiple build configurations (including for example unittest
>> runners)?
>
>
>> Supporting all the previous functionality in a way that is
>> replicable across different machines?
>
> It's not, that's another big issue with dub. It doesn't lock the
> dependency graph. If you have the packages:
>
> My own package:
>
> {
>      "name": "foo",
>      "dependencies": {
>          "bar": "=0.0.1"
>      }
> }
>
> Third party package:
>
> {
>      "name": "bar",
>      "dependencies": {
>          "xyz": ">=0.0.1"
>      }
> }
>
> Another third party package:
>
> {
>      "name": "xyz"
> }
>
> Say I install package "foo" on a machine. It will install package
> "bar-0.0.1" and "xyz-0.0.1" just as it should. Then an hour later I
> install the same package, "foo", on a different machine. Then suddenly
> it install "xyz-0.0.2". Surprise surprise, it's not the same application
> anymore and you have no idea if the application is working or not.
>
> Of course, it's unlikely this will happen within an hour. But try six
> months later and you might end up with a completely different application.

 From what I understand, for dependency graph locking to work at all, 
then each package (as stored in the central package repository) would 
have to specify its full dependency graph in the package specification. 
So the foo package would have to specify not only the bar dependency, 
but also xyz=0.0.1 as a dependency. Isn't that how it would work?
If so, I think that might be too constricting, and might introducing 
other kinds of problems and limitations. (what if you know xyz=0.0.2 is 
safe to use, and want to install foo with that?)

Rather, I think dub should adopt Semantic Versioning as part of its 
recommended practices for package versioning:
http://semver.org/spec/v2.0.0.html
In this practice, stuff like "xyz": ">=0.0.1" is not recommended, an 
upper bound on the version is required, to allow breaking changes in xyz.


-- 
Bruno Medeiros - Software Engineer


More information about the Digitalmars-d mailing list