1. 9
  1.  

  2. 7

    https://buckaroo.pm/posts/a-response-to-accio-dependency-manager A Response to “Accio Dependency Manager”

    1. 3

      You could, as a prototype, upload a bunch of c++ source code in npm packages right now and nobody would stop you. (You might stop yourself.)

      1. 2

        This would work, but you would need a convention as to how to build the code.

        1. 1

          Where I was going with that is that, if you wanted to make a prototype right now, it’s a possibility.

          There is a project which does roughly as you say. react-native libraries distribute obj-C + java code with some conventions for how to build them, inside npm packages.

          1. 1

            Yes, I have used those with React Native before. It is very brittle!

      2. 1

        looks like a dream

        1. 1

          If it’s orthogonal to build systems, how is it really a ‘C++’ dependency manager? And why not just use a ‘language-agnostic’ dependency manager, such as Nix, which will happily fetch either source or binary dependencies, including a C++ compiler, and also exists.

          1. 1

            Unfortunately, C++ Libraries don’t not compose arbitrarily. The ABI of a C++ Library depends on many factor:

            • compiler
            • language standard (C++11 and onwards use a different string implementation for instance)
            • exception support
            • Runtime type information support
            • architecture specific options
            • non-standard optimizations (eg. -ffastmath, -fomit-frame-pointer)
            • symbol visibility options (eg. -fdefault-visibility=hidden)
            • threading related flags (some libraries provide a thread safe implementation only if -pthread)

            Furthermore many libraries are “configurable” (OpenCV has around 200 different options). Every option may affect the public API and the ABI of a library.

            Given the amount of options binaries become a gamble (is the binary using the exact combination of options I need?)

            If you attempt to build from source you need to find the set of compiler-flags that is compatible with all your (transitive) dependencies. This is an SAT problem in itself.

            Once this is done you still might hit problems like symbol collisions that you need to resolve by isolating libraries.
            (eg. the r3 library ships with a different malloc implementation and is in conflict with another libraries malloc).

            Isolation can be accomplished by manual name-mangling, or by using a version-script and compilation into a shared library.

            The fact that (transitive) dependencies affect the way you build your application makes package management not orthogonal

            1. 1

              Given the amount of options binaries become a gamble (is the binary using the exact combination of options I need?)

              This is not a problem in Nix, because it each ‘output’ is given a unique hash based on its inputs, so if you build a package with a different compiler, or on a different platform or with different configuration options, you will get a different hash and Nix won’t consider the resultant binaries a valid substitution for anything which depends on a different set of inputs.

          2. 0

            A sane versioning scheme […] That was easy.

            No, semver is probably not the final solution.

            From what I understood one problem is when you want to order versions. For example, you specify a dependency as “>=2.7”. Now is that condition fulfilled for “2.7-beta”? Is “2.7-beta” earlier or later than “2.7-rc3”?

            Also, there is CalVer which uses dates. Example: Ubuntu 18.04 (meaning April 2018). Also ComVer a simplified SemVer.

            1. 3

              Semver uses 3 .-separated decimal numbers. -rc3 isn’t semver.

              1. 2

                Exactly. If you want to use a beta or rc release, you should vendor it or select a git commit, as in Cargo.

                1. 2

                  -rc3 isn’t semver, because it should be -rc.3, see SemVer#9. SemVer has rules governing pre-releases.

                2. 2

                  There’s also ConVer (content versioning) which uses git commit hashes, although the fact that I can no longer find a link to the site/article probably speaks to how popular that idea is.

                  1. 2

                    In practice, the answer to those questions is no, and earlier respectively.

                    And there is work on making those things official: https://words.steveklabnik.com/what-s-next-for-semver

                    1. 2

                      SemVer#11 lists the ordering. >= 2.7 is not satisfied by either of your examples. As for their ordering, 2.7-rc.3 > 2.7-beta.1, as specified by SemVer.