Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package groups #1854

Open
c42f opened this issue Jun 9, 2020 · 10 comments
Open

Package groups #1854

c42f opened this issue Jun 9, 2020 · 10 comments

Comments

@c42f
Copy link
Member

c42f commented Jun 9, 2020

A recent discussion on discourse sparked the idea that some concept of "curated environments" / "package groups" might be useful. That thread introduced Numerics.jl which is a grab bag of somewhat unrelated packages which were useful to the author. As a trivial package which re-exports other packages, Numerics.jl doesn't doesn't contain any code and I think versioning it would be a bit of a nightmare! But the underlying idea makes sense if viewed as a curated environment or group of packages.

In particular, I could see it being useful for Julia beginners where they'd be able to take a standard curated environment and have all the packages relevant to their domain installed and ready to use. Perhaps as part of a base environment on top of which sub-environments could be built in the style of #1233

For handling versions, it might be possible to take a strict mixin-style approach: mixing in the curated environment would add the latest versions of packages in it using the usual version resolution declared in those packages. That is, the mixin could come without any version information in its own right, but just as a convenient grouping.

Several linux package managers have this concept as package groups

Related: pkg> env repl-mode discussion in #621

@PetrKryslUCSD
Copy link

I think the environment concept is orthogonal to which packages the user actually uses once she activated the environment. See also https://discourse.julialang.org/t/ann-numerics-jl-the-extended-standard-library/40694/41

@StefanKarpinski
Copy link
Member

#1856

@KristofferC
Copy link
Member

Who decides what goes into a group? For the Linux case I guess the maintainers of the distro set up these groups but for a case like General which is contributed to by users, I feel like it can easily lead to a lot of "my favorite package bundles" with a bunch of close copies of groups.

@StefanKarpinski
Copy link
Member

That’s why in my proposal metadata sources are external (everyone can have their known if they want to), and users create policies that compute an allow/ask/deny for each package version based on some function of metadata sources.

@PetrKryslUCSD
Copy link

PetrKryslUCSD commented Jun 9, 2020 via email

@StefanKarpinski
Copy link
Member

The user is not being asked to inspect curation metadata, that would be done automatically.

@PetrKryslUCSD
Copy link

PetrKryslUCSD commented Jun 9, 2020 via email

@StefanKarpinski
Copy link
Member

I don't want to seem churlish here, but have you read #1856? Anyone who wants to produce curation metadata could do so an people would choose which curation metadata and trust policies they're interested in using. It would make sense to ship a simple but reasonably safe default policy with the default Julia install.

@PetrKryslUCSD
Copy link

PetrKryslUCSD commented Jun 9, 2020

Well, I do apologize if I missed it, but yes, I read #1856, and this was left open. Who will vet the providers of curation data? Unless one can trust the provider of this information, the whole scheme is suspect. Right now I trust Julia registry implicitly, but if I am given a choice and I have to make this decision on the fly (so to speak), doesn't the need to trust in arbitrary provider of curation data leave me open to attack? (And, yes, I realize that someone might register a malignant package right now, but the point is, if I have to trust too many sources based on limited information, I am in trouble.)

@c42f
Copy link
Member Author

c42f commented Jun 10, 2020

Who decides what goes into a group?

Anyone — a user could want their own locally named groups for convenience, or we could have a way to serve these (in which case #1856 comes into play).

I don't mean to open a can of worms here regarding how one trusts a given curated environment and the exact mechanism by which that trust is conveyed. That seems a somewhat separate issue from whether having a group abstraction is a good thing in the first place.

With that in mind, I'll rename this issue to "package groups" as one can have a local version of a group abstraction without any trust issues at all (unless you don't trust yourself :-) )

@c42f c42f changed the title Curated environments / package groups Package groups Jun 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants