nimforum mirror - "real" nim package registry roadmap?

OmegaTree (orginal) [2018-03-23T23:58:11+01:00] view original

Hi all, I'm new to Nim. Is there any reason why nim doesn't have a true package registry? how do you guys ensure that a posted package in the nim packages list wont get deleted by the github owner? I don't feel comfortable being dependent on projects that may disappear on me. Is a real registry on the roadmap? btw Thanks creating a wonderful language.

monster (orginal) [2018-03-24T11:02:19+01:00] view original

Your post rates high on the “troll” level. Nimble is maintained by a core Nim developer. And I’d probably be insulted at your comment if it was me.

dom96 (orginal) [2018-03-24T13:25:49+01:00] view original

Hrm, I don't consider this post to be insulting. It's a valid concern. Why do you think it's insulting?

We will eventually have an official package repository, but the idea behind Nimble's design is to be decentralised at its core, the official repo will just be another mirror for packages. Nimble uses Git/Hg so you can install from any Git or Mercurial URL. On GitHub, if you want to be sure that a package doesn't disappear, just fork it.

cumulonimbus (orginal) [2018-03-25T09:47:27+02:00] view original

I assume OP is referring to the "leftpad" case, in which pulling one one-line package out of NPM caused hundreds of other NPM packages (and thousands of projects that built right off NPM) to stop working. This is a problem with NPM, not with package management in general - CPAN, CRAN, CTAN, Anaconda, PyPI and others have been active for years and even decades with no such mishaps.

Packages in any registry, however "real", can disappear because of security or legal reasons.

Nimble is way ahead of the game, in that hosting your own copy is a "git clone" away, and this should (in my opinion) be the recommended way to use it.

monster (orginal) [2018-03-25T13:04:43+02:00] view original

@dom96 Well, if I spent some of my personal time maintaining a project that directly benefited, and was relied on by, most, if not all, of the community, and someone walked in and told me that what I do is not true/real, and that they don't trust me anyway, I would be annoyed. I guess I'm over-sensitive, but that post surely could have been expressed in a more tactful way (another thing I'm not good at, either).

federico3 (orginal) [2018-03-26T11:30:21+02:00] view original

Packages in any registry, however "real", can disappear because of security or legal reasons.

The current registry requires merge approval to remove a package. This can be used to prevent "leftpad"-like disastrous takeovers.

StasB (orginal) [2018-03-26T11:56:50+02:00] view original

@monster: It looks like he's talking about there not being a central mirror for nimble to pull packages from. He's worried about the possibility of the author of a package deleting their own repo at any time without warning, silently breaking everything that relies on it. I don't know if this worry is actually justified, but I don't think he was implying that nimble is not a "real" package manager.

refobj (orginal) [2018-03-26T16:44:06+02:00] view original

I sometimes see hostile responses in nim-forum. I think it will not help expand the community.

doofenstein (orginal) [2018-03-26T17:50:00+02:00] view original

I sometimes see hostile responses in nim-forum. I think it will not help expand the community.

In movies, theres often a part where the heroes struggle and go apart. I think this is a similar situtation. But like in the movies overcoming the struggles make the heroes stronger and win in the end. Of course this isn't a movie and the heroes might never overcome their obstacles and thus never win. But it's probably better if something is discussed, even if it's not in the best imagineable way, then not.

mashingan (orginal) [2018-03-26T18:43:46+02:00] view original

When one doing development with dependency packages, those will be cloned locally. Even if there's a chance of authors of those package suddenly deleting their packages, you can still do your development. It's not affected.

When there's change, handle it. It's like that too in another languages.

timothee (orginal) [2018-03-31T10:39:03+02:00] view original

maybe we could do the same as done in dub (for D): eg https://github.com/dlang/dub-registry/blob/master/source/dubregistry/mirror.d

still decentrallized but allows for multiple mirrors; dub install foo will try different mirrors until the command succeeds. It helped stabilize installs as servers do go offline once in a while. eg:

registry at https://code.dlang.org/ (fallback ["registry at http://code.dlang.org/", "registry at https://code-mirror.dlang.io/", "registry at https://code-mirror2.dlang.io/", "registry at https://dub-registry.herokuapp.com/"])

Libman (orginal) [2018-03-31T21:06:55+02:00] view original

Random thought: IPFS

Mirror of forum.nim-lang.org

3682 :: "real" nim package registry roadmap?