From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Darrington Subject: Re: Giving up on RubyGems Date: Tue, 20 Oct 2015 16:18:24 +0200 Message-ID: <20151020141824.GA21980@jocasta.intra> References: <87eggpya7p.fsf@izanagi.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39697) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZoXka-0005Ig-7J for guix-devel@gnu.org; Tue, 20 Oct 2015 10:18:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZoXkU-0007Pa-3j for guix-devel@gnu.org; Tue, 20 Oct 2015 10:18:52 -0400 Received: from de.cellform.com ([88.217.224.109]:41771 helo=jocasta.intra) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZoXkT-0007NN-MM for guix-devel@gnu.org; Tue, 20 Oct 2015 10:18:46 -0400 Content-Disposition: inline In-Reply-To: <87eggpya7p.fsf@izanagi.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: David Thompson Cc: guix-devel@gnu.org --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You got a lot further than I did. I gave up when ruby refused to run if $HOME did not match the entry in /etc= /passwd The Ruby maintainers insisted that my environment was "broken" if HOME was = ever set to anything else. :( On Tue, Oct 20, 2015 at 08:51:22AM -0400, David Thompson wrote: Hello Guix hackers, =20 As some of you know, I've been working on Ruby support for Guix for about a year now. In that time, I helped write and rewrite a Ruby gem build system, wrote an importer for , and packag= ed many Ruby gems. =20 At various points, I've had my doubts about the gem archives hosted on the RubyGems website: Are they source code? Are they binaries? After= a good deal of debate, we came to the conclusion that they are source code. This seems to be the case when you inspect any given gem. The Ruby source code is there, and so is the C source code needed for nati= ve extensions when there is a native extension to be built. Furthermore, the RubyGems website says that, among other things, gems should contain "code (including tests and supporting utilities)." [0] =20 However, it has become clear that the RubyGems maintainers do not actually feel this way. From their perspective, gems are binaries, not source code. I discovered this once I noticed that several popular Ru= by gems such as Arel do not, and refuse to [1], ship the test suite in their releases. This is because they view gems as binaries that need = to be as slim as possible, containing only necessary runtime files, to cut down on bandwidth usage and storage space. Unfortunately, they have no notion of a source package that corresponds to a given binary. =20 In practice, I've found that all the gems I've packaged come with sour= ce code and no binaries, they might just be missing the test suite. So, I asked the RubyGems maintainers to consider the use-cases for including test suites, which spawned a large thread on their GitHub page yesterday. [2] The end result is this depressing quote: =20 Yes, gems are effectively binary packages delivered to end-users. Some gems contain ruby source code, some contain pre-compiled binaries, some contain both. The internals of a particular gem aren't relevant from the perspective of RubyGems itself. =20 As has been pointed out here, RubyGems does not provide packages containing gem source code. To be honest, RubyGems as a system does not care about gem source code???it accepts .gem files from gem authors, and distributes those files on request. Any gem author who wishes to provide a link to the source code used to produce a gem = is welcome to use the gemspec metadata fields to do so. =20 I've grown very tired of trying to convince people that independent us= er verification of binary releases is an important thing to prioritize, b= ut they think that users do not want the source code. I've tried to make my arguments as clear as I could, yet they've been misunderstood by so= me and rejected entirely by others, and now it is time to give up. I don= 't know what the best way forward for Ruby support in Guix is. Things li= ke the RubyGems importer seem useless now. Just downloading release tarballs from GitHub doesn't work without major hacks because almost every gem (thanks to a terrible script in Bundler that generates boilerplate for new gems) relies on running 'git ls-files', which of course requires a Git commit database, in order to build at all. This won't do because the '.git' directory is non-deterministic when running 'git clone', as many of us know. The entire stack, from the build system to the package management system are broken and are effectively beyond repair because no one else believes that there are problems. This effort has drained too much of my enthusiasm, and now I need a break. =20 Sorry if this comes across too ranty and complainy, I suppose it is both. I hope your hacking is happier than mine. =20 --=20 David Thompson GPG Key: 0FF1D807 =20 [0] http://guides.rubygems.org/what-is-a-gem/ [1] https://github.com/rails/arel/issues/384 [2] https://github.com/rubygems/rubygems/issues/1364 =20 =20 --=20 Avoid eavesdropping. Send strong encryted email. PGP Public key ID: 1024D/2DE827B3=20 fingerprint =3D 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlYmTTAACgkQimdxnC3oJ7OhUQCghwiIpbGNYvSUGf7/25M0E6Oo JDcAnjklOFYuQ3hfz2WT4NfqdyIsWAeG =By1S -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v--