After GitHub put an archive of Mastodon code into arctic ice it got me thinking how dependent our rollout mechanism is on contemporary infrastructure like RubyGems and NPM. That bit us in the ass at least one time when a release of Mastodon became uninstallable because a package author removed a specific version of a package. At least our Docker images are entirely self-contained/pre-built.

@Gargron This is why I really hate the modern culture of package managers. They make things incredibly fragile.

At the very minimum, package managers should enable you to check in all your dependencies into your repo.

@WAHa_06x36 You used to have to do that with PHP projects. It was shit though. It’s a lot of version control noise and a lot of extra weight for the whole repository. So it didn’t change for no reason. But what we’re doing here, distributing long-lived web software, is not very common. We have ways to go in finding a better approach.

@Gargron but wait, NPM packages and old versions of them cannot be deleted?

@Gargron @sasha_sorokin doesn’t NPM let you ignore the warning and download anyways?

@Gargron wait does NPM and RubyGems not store a backup copy for projects which rely on it. I know an author can stop releasing updates but didn’t realize they had the power to take back their contributions. I wish package managers pulled code from Git repos rather than a centralized store. Crystal Language and their shards package manager does this and it’s pretty cool.

@Gargron this is why I've started hosting my own gitea, drone ci, and Verdaccio instances. Would recommend.

@Gargron Build on top of Debian/sid. Old distro releases aren't going to get yanked from under you, and the state of the rolling release is always internally consistent. Including cross-language dependencies: a problem RubyGems and NPM generally ignore.

My rant:

@xj9 @Gargron Please don't, otherwise you basically have to also maintain them like in a distro.

@Gargron a project with a thousand dependencies has a thousand liabilities

@sir @Gargron
The journey of a thousand technical debts begins with a single dependency.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!