From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Mark H Weaver <mhw@netris.org>
Newsgroups: gmane.lisp.guile.devel
Subject: Re: summer of code ideas
Date: Mon, 07 Mar 2011 20:10:01 -0500
Message-ID: <87oc5mxvrq.fsf@netris.org>
References: <548800.13980.qm@web37904.mail.mud.yahoo.com>
	<87vczur5cf.fsf@gnu.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: dough.gmane.org 1299546625 16097 80.91.229.12 (8 Mar 2011 01:10:25 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Tue, 8 Mar 2011 01:10:25 +0000 (UTC)
Cc: guile-devel@gnu.org
To: "Jose A. Ortega Ruiz" <jao@gnu.org>
Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Tue Mar 08 02:10:20 2011
Return-path: <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>
Envelope-to: guile-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>)
	id 1PwlRH-000242-9K
	for guile-devel@m.gmane.org; Tue, 08 Mar 2011 02:10:15 +0100
Original-Received: from localhost ([127.0.0.1]:38644 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1PwlRG-0001ys-HE
	for guile-devel@m.gmane.org; Mon, 07 Mar 2011 20:10:14 -0500
Original-Received: from [140.186.70.92] (port=60937 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PwlRD-0001yn-Ls
	for guile-devel@gnu.org; Mon, 07 Mar 2011 20:10:12 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1PwlRC-0007p8-7z
	for guile-devel@gnu.org; Mon, 07 Mar 2011 20:10:11 -0500
Original-Received: from world.peace.net ([216.204.32.208]:41890)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>)
	id 1PwlRA-0007ou-LU; Mon, 07 Mar 2011 20:10:08 -0500
Original-Received: from ip68-9-118-38.ri.ri.cox.net ([68.9.118.38] helo=freedomincluded)
	by world.peace.net with esmtpa (Exim 4.69)
	(envelope-from <mhw@netris.org>)
	id 1PwlR4-0003Q2-Os; Mon, 07 Mar 2011 20:10:02 -0500
Original-Received: from mhw by freedomincluded with local (Exim 4.69)
	(envelope-from <mhw@netris.org>)
	id 1PwlR3-0003l5-Ke; Mon, 07 Mar 2011 20:10:01 -0500
In-Reply-To: <87vczur5cf.fsf@gnu.org> (Jose A. Ortega Ruiz's message of "Mon, 
	07 Mar 2011 22:25:04 +0100")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 216.204.32.208
X-BeenThere: guile-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Developers list for Guile,
	the GNU extensibility library" <guile-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-devel>
List-Post: <mailto:guile-devel@gnu.org>
List-Help: <mailto:guile-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=subscribe>
Original-Sender: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org
Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.lisp.guile.devel:11827
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.devel/11827>

"Jose A. Ortega Ruiz" <jao@gnu.org> writes:
>> =C2=A0=C2=A0 (use-modules (url://a-url.com library module #:optional a-r=
ev-number))
>
> FWIW, i think this is a bad idea.  It intermingles two concerns that are
> othogonal, namely installing a package and using it.

I very strongly agree with jao.  Systems like this, e.g. Python Eggs,
have been a major headache for distributions to deal with.  Debian
actually takes the time to disable this automatic downloading and
installing functionality from their Python packages, and I'm glad for
it.  I am very security conscious, and the thought of software being
automatically installed "on-demand" from untrusted sources when I run a
program, or maybe even when I first use some particular functionality of
that program, is very disconcerting.

Maybe not everyone wants this, but as a Debian and gNewSense user, I
want my distribution to be an intermediary for most of the software I
use.  I trust them more than I trust most upstreams to ensure that the
software has been somewhat vetted for license issues, security problems,
anti-features, etc.  I want my distribution to be able to modify the
packages as necessary to make them work well together and with the rest
of the system.  I also want experimental distributions to be able to
make significant changes to packages to fit within their new ideas of
how the system should be set up.

Furthermore, there are many thorny issues involved with package
management that are very hard to get right, and most of the new crop of
language-specific package systems like this are half-baked at best.

For example, how do you ensure security?  Debian has a reasonably well
thought out system for using digital signatures for this.  How will we
handle it?

Also, how will we handle versioning?  It is very hard to do this
properly.  Sometimes you want the cutting-edge version of something, and
sometimes you want stability.  It is not enough to simply designate a
stable version of each individual package.  A stable system requires
that all the individual pieces have been tested together as a whole, as
is done in Debian and other distros.  How will we handle it?

I don't mean to be a wet blanket, because I can certainly see the appeal
of a system like this, but let's please be careful not to repeat the
many mistakes that other similar systems have made.  It is a very thorny
problem.

    Regards,
      Mark