Anyone interested in "package versioning"?

Robert Smith quad at symbo1ics.com
Thu May 19 12:28:39 UTC 2016


Inline clarifications.

On Thursday, May 19, 2016, Stelian Ionescu <sionescu at cddr.org> wrote:

>
>
> I don't mean any other language, but I do mean any other relatively modern
> one. Rust, JavaScript, Clojure are maybe some examples off the top of my
> head.
>
>
> Hans gave a good example about Clojure. Javascript, with Node.js/npm, is
> in an even worse position.
>
>
>
> Either modules are somehow first class (by way of having
> modules-as-function-dictionaries), or the respective
> packaging/loading/whatever systems will at least let you know that about
> unsatisfied/mismatched versions.
>
> I think in light of this discussion you can boil down one's opinion on
> this matter to one of three alternatives:
>
> 1. Lisp+ecosystem and associated libraries are problematic in that it's
> not possible to load multiple versions of a library due to the way CL
> packages work. (Packages or systems aren't first-class modules. Namespace
> names are global and aren't late-bound.)
>
>
> Hans described the QA problem with loading two versions of the "same"
> library in the same process: if data structures from one version are fed
> into the other version, all sorts of problems can happen, and worse, they
> can happen without noticing. Think of what can happen if the semantics of a
> string or integer slot changes.
>
>
>
 See below.

> 2. There's something like a SocialProblem (TM) where Lispers lack (a)
> versioning discipline, (b) dependency versioning discipline which
> exacerbates issues like inadvertent multiple loading, or incompatible
> loading of libraries.
>
>
> Semantic versioning won't help you without automatic tools to determine if
> the API of a library changed in an incompatible way, e.g. if a function
> removed a keyword arg, or changed the type of an existing arg.
>
>

I would say that semvers should in principle help you detect
incompatibilities, but as you hinted with "illusion", maybe these in
practice can't be trusted or relied upon generally.


>
>
> 3. There's actually no issue in principle: inconsistencies need to "just"
> get fixed by the library vendor/user, or better tooling needs to be used to
> track your project's direct and transitive dependencies.
>
> It's my personal opinion, as is evident in previous messages, that I think
> 1 & 2 are issues.
>
>
> You didn't give an example of how exactly those two things are a problem,
> and how adding those features would solve the problem(s).
>

#1: Assuming that there isn't incompatible passing of data, if A depends on
B1 and C depends on B2, and in isolation A-B1 works/passes tests, and C-B2
works/passes tests, then A-B1 and C-B2 loaded together (assuming a
non-existent Lisp) should work fine. The problem being addressed is lack of
synchrony in the universe of Lisp modules.

(My first-order thought is that even incompatible data wouldn't be an issue
if those data types are properly encapsulated in classes or structures, by
virtue of the fact that those types become distinct by way of different
names. I envision that only untyped things could cause problems, like
[ap]-lists, strings, etc.)

#2: If there was diligence is properly versioning libraries, and diligence
in specifying dependency version requirements, then detection of issues
could happen. This is solving recognition of a possible issue.



>
>
> Some additional food for thought:
>
> * Lisp is old. Some libraries go back to the 80s.
>
> * Not everything is very strictly maintained. Some useful libraries
> haven't been updated for some 5-10 years.
>
>
> What useful libraries that actually need updates haven't been updated ?
>

I'll get back to this when I'm at my computer next.


>
>
> * Like many other languages, Java is continuously updated, and as are the
> libraries of its large standard set. While Java/etc libraries certainly can
> and do depend on third party libraries, the majority of depended-on
> libraries are standard ones. This is obviously not the case for Lisp.
>
>
> Just look into Maven packages. Large parts of the Java standard library
> are obsolete and people use third party libraries(just like with CL). In
> some cases those libraries make it back into the standard(
> http://www.joda.org/joda-time/), but that's rare.
>
>
>
> * Because library distribution wasn't a relatively solved problem until
> recently in Lisp history, some library authors unfortunately include copies
> of Lisp libraries as a part of their library tree.
>
>
> That's very rare, in my experience. Do you have examples ?
>
>
>
> * Hot patching libraries makes this all a ton more complicated in
> principle.
>
>
> Where did you see this?
>
>
>

For these last two questions, I don't have the examples off hand and
unfortunately it was at a company I no longer work at.

Including: ALEXANDRIA has been included directly before. I don't remember
which library it was. I only detected it because of function redefinition
warnings on first uncached build.  There were other examples but I don't
recall.

Hot Patching: I think (??) some linear algebra library was being hot
patched for some specific use of that library.

* Visible libraries are global to the entire Lisp universe. (Unlike Python
> where you can, just within a file, import and late-bind a namespace.)
>
> * Tangential: the whole name/nickname collision issue. Package-local
> nicknames are a language extension which could solve this, even if not
> (yet?) universally used.
>
>
> Local nicknames would make certain things more convenient, but what does
> that have to do with the original question, versioning ?
>
>
It was tangential to packages and names of things.


>
>
> Making it easier to work in this large, old, and diverse ecosystem of
> implementations and libraries seems important to me, and versioning is one
> useful and tangible way to make things easier.
>
> Robert
>
> On Wednesday, May 18, 2016, Scott L. Burson <Scott at sympoiesis.com
> <javascript:_e(%7B%7D,'cvml','Scott at sympoiesis.com');>> wrote:
>
> I don't understand when you say this is "not an issue that one runs into
> writing in another language and associated ecosystem".  AFAIK, in Java, you
> can have only one version of a given package loaded into the JVM at any one
> time.  Am I missing something here?
> -- Scott
>
> On Wed, May 18, 2016 at 11:41 PM, Robert Smith <quad at symbo1ics.com> wrote:
>
> I really honestly felt that this rebuttal was very unhelpful. I basically
> got from it:
>
>    - Lisp isn't designed for this kind of use.
>    - Since Lisp wasn't designed for this, the problem is not Lisp, it's
>    your use of Lisp.
>    - To solve the problem (which is not Lisp's), fix (third party)
>    inconsistencies yourself. Because it's not a Lisp problem, two systems
>    depending on two Lisp-simultaneous-incompatible versions of a system is a
>    problem. (Even though each system+dependency combination is perfectly valid
>    in isolation.)
>    - Or, in the end, change your entire operating system to a completely
>    different one with completely different philosophies.
>
> This kind of response is just very practically a non-starter for most
> people. Maybe that means Lisp isn't the right tool for much of the world,
> like startups, then. Which advances my point, I think, in the original
> Quora post. (But I admit this thread is about package or system versioning,
> not the original Quora point.)
>
> I wrote some stuff inline below.
>
> On Wed, May 18, 2016 at 10:14 PM, Faré <fahree at gmail.com> wrote:
>
> On Wed, May 18, 2016 at 5:49 PM, Robert Smith <quad at symbo1ics.com> wrote:
> >
> > On Wed, May 18, 2016 at 4:57 AM, Alessio Stalla <alessiostalla at gmail.com
> >
> > wrote:
> >>
> >> The stance on packages found in the mentioned Quora post is based on the
> >> old misconception about packages being modules, or "software packages"
> in
> >> the Linux distribution sense. They're not. They are really just
> namespaces,
> >> containers of symbols. So it does not make any sense, to me, that they
> have
> >> versions. Software has versions, not names.
> >
>
>
> > Systems are what should get versioned but systems are not what are
> referred
> > to by source files. Systems largely coordinate the compilation and
> loading
> > of files. Source files generally have no notion of a system, actually,
> which
> > may be what is ultimately problematic. Packages are referred to by source
> > files, however. When I said packages, I meant it, and it was not a
> > conflation with the notion of a system.
> >
> Why should source files know about systems?
> Why should packages know about systems?
>
>
>
> Maybe they should, maybe they shouldn't. But the crappy
> packages-as-namespaces system isn't cutting it for large programs, and
> modules usually naturally have an associated namespace, but there's no
> formal correspondence between packages and systems. But more often than not
> there is an implicit association, judging by how most modern Common Lisp
> libraries are written. So maybe there's value in taking advantage of that
> correspondence.
>
>
>
> > At the companies I have worked in, we rake in 100s of systems, which
> consist
> > of n*100s of systems where n is the average number of packages per
> system.
> > These version collisions happen enough, and we are lucky when they're not
> > silent.
> >
> Was it in CL? Was it all in the same process? CL is not designed for
> these kinds of things.
>
>
>
> CL in the same process.
>
> CL very clearly wasn't designed for a time where 100s of packages would be
> available and simultaneously usable.
>
> But I'm not ready to concede and say "well, Lisp is only good for five or
> six massive packages or systems written by a few guys, like the good ol'
> days".
>
>
>
> > Often enough, it's an extremely subtle issue that system A depends
> > on {system B at time T1} and system C depends on {system B at time T2},
> > where T1 and T2 correspond to different versions of system B, even if not
> > explicitly labeled as such.
> >
> A and C are incompatible. You need to fix A, B and/or C.
> The build system can record this incompatibility and issue an early error
> when you try to build them together. It can't fix A, B and/or C for you.
>
>
>
> A and C are incompatible only because of this whole thing we are talking
> about. Obviously they're incompatible. That's the whole problem. Saying
> "Fix A, B, C" is, to me, declaring that this whole thing isn't a problem,
> and the problem is library writers. Why can't A and C depend on whatever
> they want at some time? They of course can, but it's non-sense to think
> people will rename their namespaces every iteration of their software.
> That's just not how Lisp code has been written.
>
>
>
> > Let's suppose we simplify the problem however and assume that B has been
> > properly versioned in time, and systems A and C refer properly to the
> > correct version of system B as a dependency. Even then, they will not be
> > able to be simultaneously loaded in a functionally correct fashion. (They
> > *can* both be loaded, but you'll do some clobbering of state along the
> way.)
> >
> No. The build system can error out and
> tell you the easy way that you have to fix your bugs
> before you discover it the hard way
>
>
>
> The build system erroring would be a step above the status quo. But maybe
> there's not actually a logical error. We are only considering it an error
> because of the way packages work in Lisp, no?
>
>
>
> > Whether we think about modules as systems or as packages or as whatever,
> the
> > problem would need to be addressed at the package level, if we are not
> > assuming that we can't synchronize the universe of people writing Common
> > Lisp.
> >
> The packages have nothing to do with it, unless you fork B into B1 and B2
> (or B1 and B, or B and B2).
>
> > Overall, I'd summarize as this. Whether we have the technology in the
> Common
> > Lisp ecosystem to accommodate this problem or not, it's my opinion and
> the
> > opinion of many of my colleagues that there is a problem for development
> > teams making extensive use of open and closed source code. There
> definitely
> > is not a discipline that you see with other languages and their
> ecosystems
> > (JS/npm, Clojure, etc.) about proper versioning of systems and
> furthermore
> > proper loading of the proper versions. I don't think that's debatable.
> The
> > closest we have to this solution is relying on the global nature of a
> > particular Quicklisp distribution, but not all Lisp software is free and
> > open source, and even software within Quicklisp has tons of implied
> version
> > dependencies.
> >
> This is not a very Lisp-specific problem.
> This is a problem with building software in general.
> The correct approach is to fix incompatibilities,
> not to try to deny their existence only to find out the hard way you can't.
>
> Google Bazel provides a good way to deterministically build software
> that follows the correct discipline. So does NixOS. There may be other
> such tools. Use them.
>
>
>
> I don't know much about Bazel, and I know a little about NixOS.
> Regardless, this seems to be moving the problem into how we globally
> synchronize our systems.
>
> I am absolutely boggled by this attitude. This is an issue that one runs
> into when writing Common Lisp code, and not an issue that one runs into
> writing in another language and associated ecosystem. To me, that's a Lisp
> problem. We can do some creative academic definitions, I think, but it's a
> problem when choosing Lisp as a tool.
>
> I don't know. The original question I was answering was why Lisp isn't
> what we are all using today, and I think this weird thread serves as
> additional evidence.
>
> Am I way off base here?
>
> Cheers,
>
> Robert
>
>
>
> --
> Stelian Ionescu a.k.a. fe[nl]ix
> Quidquid latine dictum sit, altum videtur.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/pro/attachments/20160519/c33aa235/attachment-0001.html>


More information about the pro mailing list