kuno: around? [14:07] yes [14:10] kuno: you're the one who, in conversation about packaging and etc, expressed "but I like git checkouts for deployment, because complete and corresponding source!" right? :) yes! kuno: great! because I have a C&CS puzzle and I want to talk to you about my suggested solution. [14:11] and I love puzzles! kuno: like many web development projects, mediagoblin follows the really bad practice of "just check the javascript libraries into the source tree" kuno: this is bad for a variety of reasons. Reason 1 is that it bloats the source tree, obv [14:12] * kuno nods Reason 2 is it's usually a byte-compiled version of the project... actually proprietary if you aren't doing the C&CS side of things when you think about it! it's "standard practice" for webdev, but bad practice. kuno: the problem is made worse though, because most javascript libraries today aren't just "unpack and run" anymore [14:13] lots of them count on node.js to compile [14:14] an onerous requirement for someone doing drive-by contributions! Or really any contributor. kuno: so here's my thought on a solution, let's see what you think. I disagree on the onerous requirement part, but otherwise agree with your premise. kuno: so I am thinking maybe having a file like: http://pamrel.lu/48764/ [14:18] Title: Pamrel - 48764 (at pamrel.lu) and some python code that knows how to fetch and extract and move the binary version in to place [14:19] paroneayea: I think i'd be crazy to ignore the npm and bower repositories s/i/it/ but *at minimum* includes instructions on how to clone the repositories, but maybe even actually can build them with the c_and_cs part kuno: yes, those exist, but the problem is [14:20] users already have trouble with running into python's package manager with our stuff having them beat their head against 1000 unique package managers that's onerous :) * paroneayea exaggerating of course, we don't have 1000 deps, but you get it [14:21] *** pitanga (~rodrigo@fsf/member/pitanga) has quit: Read error: Connection reset by peer *** pitanga (~rodrigo@fsf/member/pitanga) has joined channel #mediagoblin [14:22] kuno: at minimum, I think this is an improvement over things as they are but it could be much better. paroneayea: yeah. I can see the argument that an end-user shouldn't need to have a javascript package manager installed to deploy mediagoblin, but then they also shouldn't need a python package manager really. You should ship those folks the full thing, all packaged and ready to go. kuno: yeah. I think the thing is, I want to hit all the major parts of the spectrum: - just install the package and all packages via system packager [14:23] - hack on mediagoblin version: mediagoblin's checkout, but then pull down prebuilt packages for the js deps and etc easy - full C&CS auditor mode! have at minimum the ability and full documentation on how to build the whole thing, top to bottom. [14:24] paroneayea: Implementing a half-hearted javascript package manager doesn't seem like a great solution. If you want to stay within the python ecosystem, can you not just package your deps for fanstatic? "for fantastic"? kuno: you mean make python eggs? :P paroneayea: there's all these javascript libraries on pypi, https://pypi.python.org/pypi/js.jquery/1.9.1 Title: js.jquery 1.9.1 : Python Package Index (at pypi.python.org) kuno: "yes you can" but it's really quite messy. [14:25] and they aren't well maintained. I did that at one point with a job's deps it turned into a nightmare. *** pitanga1 (~rodrigo@200-153-132-135.dsl.telesp.net.br) has joined channel #mediagoblin at the moment I just want something that untars things into a directory mostly since effectively that's what we have paroneayea: yeah, if you want well-maintained, you need to get these javascript packages from npm and bower :) right so this is intermediate land :) paroneayea: implementing a half-hearted javascript package manager which just pulls stuff from npm could be an option. The package description files are straightforward, and I expect the npm API to be similarly so. [14:26] *** pitanga1 (~rodrigo@200-153-132-135.dsl.telesp.net.br) has quit: Read error: Connection reset by peer kuno: maybe... but is probably a lot more work than just wget and untar. [14:27] while checking a hash *** pitanga1 (~rodrigo@200-153-132-135.dsl.telesp.net.br) has joined channel #mediagoblin kuno: but! [14:29] *** pitanga (~rodrigo@fsf/member/pitanga) has quit: Ping timeout: 246 seconds the thing I suggested above should be able to handle that. paroneayea: anyway, I need to get back to the dayjob. I'm going to think about this problem a bit more. [14:30] kuno: ok :) *** pitanga1 (~rodrigo@200-153-132-135.dsl.telesp.net.br) has quit: Read error: Connection reset by peer [14:31] kuno: at the very least, I feel from the conversation we just had that the ~solution I'm putting forward is "adequate enough", if not great, but much better than existing check into git "solutions" ;) *** pitanga (~rodrigo@fsf/member/pitanga) has joined channel #mediagoblin *** pitanga1 (~rodrigo@200-153-132-135.dsl.telesp.net.br) has joined channel #mediagoblin [14:33] *** pitanga (~rodrigo@fsf/member/pitanga) has quit: Ping timeout: 245 seconds [14:35] paroneayea: I guess my main issue with it is that you're duplicating metadata. I love metadata, but for javascript the existing package managers already have all the metadata you need (link to git source, authors and license fields, etc...) [14:36] *** pitanga1 (~rodrigo@200-153-132-135.dsl.telesp.net.br) has quit: Read error: Connection reset by peer kuno: well, in that sense [14:46] the real thing is we should be using a unified package manager and in that sense also I think davexunit is right in that we should maybe all be using guix instead of virtualenv and etc ;) paroneayea: guix/nix do seem really promising. I don't think end-users should have to deal with package managers though,.. [14:50] and for developers it seems perfectly OK to expect a python developer to have a python interpreter installed to run a package manager written in python and for a javascript developer to have javascript compiler or whatever installed to run a package manager written in javascript [14:51] kuno: yep, but as you see the problem is when python developers need to run javascript compilers ;) [14:52] and etc if you're a developer working on a project which has both python and javascript bits, is it really that much to ask that developer to have those package managers? (it's just a "sudo apt-get install npm") [14:53] kuno: it's a lot to ask them to *debug* all those things, and to have to run each package manager in turn. kuno: remember also how often python's package manager breaks [14:57] start adding more and more breakable language package managers and you're gonna have a bad time (also each one tends to take a really long time to run) so I do think it's onerous still paroneayea: right, but that's because python packages are notoriously bad about specifying the correct versions for their requirements ;) [15:00] kuno: not only! [15:01] kuno: we've had a good number of other types of errors: (this is less of a problem with npm because "npm install some-package --save" does the right thing by default, and you have multiple versions of the same dependency in the tree without conflicts or trouble) +can [15:02] *** azerus (~badass@unaffiliated/badass) has quit: Quit: Leaving... [15:04] paroneayea: in a mixed javascript + python project, it just seems arbitrary to call requiring one of the package managers an onerous requirement, while requiring the other package manager is perfectly fine. [15:08] kuno: it's a python project with javascript dependencies just as so is it a python project with C dependencies :) :) [15:09] there is a problem with my previous argument that end-users shouldn't be using package managers at all, which is that it increases the distance between developers and end-users. Which makes it more difficult for a curious end-user to tinker with stuff and become a developer. [15:10] in that sense I am in favour of improving our developer tools and package managers to such an extent that they could be used by an end-user. (but that seems impossible with the current state-of-the-art) [15:11] agreed there kuno