On 12/13/2016 2:35 PM, Nicolas Kovacs wrote:> That's why I'm running Slackware on most of my systems.that doesn't solve the issue of various FOSS projects using all kinda whacky build toolkits and requirements. one tool I wanted to build a few weeks ago depended on common lisp. another package I wanted to play with required this whole complex python infrastructure which I'd never seen or heard of before (Im not a python dev although I can follow bits of code, and even make minor changes), and the build commands in that infrastructure were pulling in source packages from various servers all over the world, which kinda scared me from a security standpoint. -- john r pierce, recycling bits in santa cruz
On Tue, December 13, 2016 5:09 pm, John R Pierce wrote:> On 12/13/2016 2:35 PM, Nicolas Kovacs wrote: >> That's why I'm running Slackware on most of my systems. > > that doesn't solve the issue of various FOSS projects using all kinda > whacky build toolkits and requirements. > > one tool I wanted to build a few weeks ago depended on common lisp. > > another package I wanted to play with required this whole complex python > infrastructure which I'd never seen or heard of before (Im not a python > dev although I can follow bits of code, and even make minor changes), > and the build commands in that infrastructure were pulling in source > packages from various servers all over the world, which kinda scared me > from a security standpoint.That is inevitable: some of the tools/projects to work may require you to bring a huge external infrastructure if you want to use them. This has no way around. Another thing is: when building of the project (libraries, binaries, etc) requires sophisticated infrastructure that is not necessary after you built it. This and only this is what I meant when mentioned FreeBSD pkg and poudriere for building custom configured packages - you only need that infrastructure when building (on build box in build jail...). But in general, yes, the world seems to have gone the way "why simple, when you can do it complex way". I guess I should have added rant tags... Valeri> > > > -- > john r pierce, recycling bits in santa cruz > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 12/13/2016 03:21 PM, Valeri Galtsev wrote:> > Another thing is: when building of the project (libraries, binaries, etc) > requires sophisticated infrastructure that is not necessary after you > built it.Yes, that's why I mentioned nodejs. A rather cool JavaScript project didn't do quite what I wanted, but to modify it I had to install some nodejs environment that was used to "build" the JavaScript and had to be re-run for any tweak to the components and always built a rather large JavaScript file even minified. I ended up just scrapping it any writing my own even though its not as flexible, and I'm still trying to figure out how requiring a node setup is a good idea to require for generating a static file. But that's the trend.
Hello Valeri, On Tue, 2016-12-13 at 17:21 -0600, Valeri Galtsev wrote:> That is inevitable: some of the tools/projects to work may require you to > bring a huge external infrastructure if you want to use them. This has no > way around.The point is not that one requires (many) tools to build a project, the problem is that tools like f.e. composer make it unclear to the user what exactly is being pulled from where and for what reason and whether the pulled sources are being verified with checksums. Just providing a text with a set of requirements and urls makes it much easier for the user to verify the sources. It's about transparency. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research