1. 6

I was using luarocks, in my lua project, but the problem was luarocks isn’t like npm, where you install dependencies via dependencies. Also luarocks install command doesn’t support sermver operators like > , >= etc.

So based on luarocks, I am working on a npm like packager, which basically installs packages using luarocks. This is very nascent, pre-alpha at best.

More functionalities:

  • especially semver character support needs to be added.
  • adding support for using any kind of existing installer like luadist and not only limit it to luarocks.

I would like to hear some feedback, from you guys. Thanks :)


  2. 18
    • More software = more entropy.
    • Package managers are hard.
    • NPM has some anti-features, so just because it has a feature doesn’t mean it’s a good idea.

    Lua needs more packages and Luarocks needs help. Hisham does most of the work, it sure would be nice if others helped him. Starting from scratch is fun, but just adds entropy.

    1. 12

      Seriously echoing this: luarocks has its issues but “it isn’t npm-like enough” is not one of them. Please consider working together instead of fragmenting effort.

      1. 1

        Hisham has been openly antagonistic (or forcefully oblivious) to security concerns. The late addition of https to the rocks server was something. Having some competition in the package system is a good thing.

        1. 1

          Please don’t spread fear/uncertainty/doubt. Hisham is doing a lot of work, and I’m sure a well-wrought PR would be welcome. Drive-by claims of insecurity are less likely to be immediately embraced.

          1. 2

            Luarocks was run for years over bare http, and not signatures on the packages. I talked with Hisham about this at one of the yearly Lua meetings. He basically said, “we have https now, what is the big deal?” I told him I could have rooted everyone at the LuaConf with a wall of sheep attack on luarocks. He shrugged. I hope he has come around, because I love Lua and LuaRocks is pretty damn awesome (enough) in every other way. Well except not having per project environments and native code and …

            1. 2

              What is a “wall of sheep attack”? Googling it refers to a group(?) at Defcon…

              1. 1

                Luarocks was run for years over bare http, and not signatures on the packages.

                And no checksums? I agree that’s concerning.

      2. 13

        Right off the bat, you list Lua 5.1 as the apparent minimum version, but parser.lua is using a Lua 5.3 operator. On top of that, you are overloading the operator to append to a table when there’s already a function to do that, and it doesn’t require a bogus assignment to function.

        My section reaction is “why JSON?” Luarocks uses Lua, but now I have to keep metadata in two formats?

        1. 4

          Thanks for pointing things out .After reading all the comments, I have some more insight.

        2. 8

          luarocks isn’t like npm, where you install dependencies via dependencies

          What does this mean? When you install a rockspec, it installs its dependencies. If you only want the deps (e.g. for local development), you can luarocks install --only-deps. Since version 3, LuaRocks supports local directory development à la npm with luarocks init. What is missing?

          (I know and use both package managers.)

          1. 5

            While I applaud your effort to fix some (perceived?) problems I am not sure this is the right way.

            There are several “problems” in lua land.

            • While luarocks is the de-facto package manager, it’s a long shot from “90% of projects use it”
            • it’s not perfect
            • lua with it’s multiple versions (lua, luajit) is a bit of a different beast than most langauge ecosystems

            If your only problem is semver, did you try submitting a patch to luarocks? I’ve only participated in a few meetings of Lua users at FOSDEM (it’s a small ecosystem) but Hisham appeared quite approachable and open to accepting help or at least providing advice regarding luarocks.

            Also, package managers are only good if software is packaged in them - so you need the ecosystem to work with you or you end up having to “package” all the software yourself. Or provide metadata files for them.

            And while this may have sounded overly negative and discouraging, multiple package managers is a real problem and there should be good reasons to try to replace the standard one. I don’t see real problems with luarocks, but YMMV

            1. 2

              I clearly understand your concern. Thanks for the feedback. I will look into this

            2. 4

              Thanks for the fish ! What about reaching the luarocks guys to discuss that with them directly? Having multiple ways of doing the packaging tends to split the efforts and / or double them.

              1. 3

                the problem was luarocks isn’t like npm

                I wouldn’t call this a problem, more of a benefit. :-)

                On a more serious note, could you expand on what you would expect luarocks to do vs. what it currently does? As someone not familiar with luarocks, it’s hard to understand where you are coming from.