<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div style="font-family:'Courier New';"> </div>
<blockquote type="cite"><div style="font-family:"Courier New";">Thanks all for the rest of your comments. Interesting notes about Clojure, Hans.<br></div>
<div> </div>
<div>I agree that this problem is not unique to Lisp, but what is relatively unique is that it's a quiet problem. (Mismatching of transitive dependencies can go unnoticed until something eventually breaks.)<br></div>
</blockquote><div style="font-family:"Courier New";"> </div>
<div style="font-family:"Courier New";">That's a problem with all languages that don't do static types. Node.js, Ruby, Python are all afflicted by this issue. Even with static types, that doesn't solve other types of problems, like a dependency that switched from O(n^2) to O(n*log(n)) implementation in a method, that exposed a race condition in the user code and caused the server to crash in production during the Black Friday peak.<br></div>
<div style="font-family:"Courier New";"> </div>
<div style="font-family:"Courier New";"> </div>
<blockquote type="cite"><div>The only question in response to many of your relatively-in-agreement-with-each-other comments is: do you think the relevant portions of Lisp, the relevant portions of the Lisp tool chain (ASDF, QL), and the way in which Lisp seems to be popularly used in open source are as a whole close to optimal in what we can do in 2016 to even detect, let alone address, these kinds of issues? Or is manual per-project vetting and curation of libraries the best possible?<br></div>
</blockquote><div style="font-family:"Courier New";"> </div>
<div style="font-family:"Courier New";">There are ways, one of which would be a very strict build system like Bazel. That has several problems of its own, though. As somebody noticed in a blog post about the latest ELS, Bazel has a large overhead and is cumbersome for small projects.<br></div>
<div style="font-family:"Courier New";"> </div>
<blockquote type="cite"><div> </div>
<div>Robert<br></div>
<div><div style="font-family:"Courier New";"> </div>
<div style="font-family:"Courier New";">On Thursday, May 19, 2016, Stelian Ionescu <<a href="mailto:sionescu@cddr.org">sionescu@cddr.org</a>> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;" defang_data-gmailquote="yes"><div style="font-family:"Courier New";"><u></u><br></div>
<div><div> <br></div>
<blockquote type="cite"><div dir="ltr"><div><div><div><div>I don't know much about Bazel, and I know a little about NixOS. Regardless, this seems to be moving the problem into how we globally synchronize our systems. <br></div>
<div> <br></div>
<div>I am absolutely boggled by this attitude. This is an issue that one runs into when writing Common Lisp code, and not an issue that one runs into writing in another language and associated ecosystem. To me, that's a Lisp problem. We can do some creative academic definitions, I think, but it's a problem when choosing Lisp as a tool.<br></div>
</div>
</div>
</div>
</div>
</blockquote><div><div> <br></div>
<div style="font-family:'Courier New';">It's not a Lisp-only problem, it's a general boolean satisfiability problem that all languages have. The only way to deal with this is to ensure that your entire ecosystem works with the same set of dependencies, to check-in those dependencies in your repository and not rely on "semantic versioning" or other such illusions, run the tests(do actual QA) and be very conservative with upgrades.<br></div>
<div style="font-family:'Courier New';">Having a source control system that can keep everything in one repository, with partial checkouts, is very useful in achieving that. I've started to really appreciate Perforce in the last year or so.<br></div>
<div style="font-family:'Courier New';"> <br></div>
<div style="font-family:'Courier New';">At my previous company, we had so many problems with Node.js(good for prototyping) because of the fact that npm(the package manager) downloaded private copies of the libraries, that in the end I think they rewrote the server to something more sensible, Java.<br></div>
<div style="font-family:'Courier New';"> <br></div>
<div>--<br></div>
<div>Stelian Ionescu a.k.a. fe[nl]ix<br></div>
<div>Quidquid latine dictum sit, altum videtur.<br></div>
</div>
<div style="font-family:'Courier New';"> <br></div>
</div>
</blockquote></div>
</blockquote><div style="font-family:'Courier New';"> </div>
<div id="sig4916231"><div class="signature"> </div>
<div class="signature">--<br></div>
<div class="signature">Stelian Ionescu a.k.a. fe[nl]ix<br></div>
<div class="signature">Quidquid latine dictum sit, altum videtur.<br></div>
</div>
<div style="font-family:"Courier New";"> </div>
</body>
</html>