[swift-build-dev] [Discussion Starter] Package post-clone script (Robert F. Dickerson)

Robert F Dickerson rfdickerson at us.ibm.com
Tue Mar 22 17:42:32 CDT 2016


I think that a post-clone script or similar functionality could be very
useful. There are other systems language communities also recognize the
need for such support to enhance the build process in some fashion. For
example, Rust/Cargo has its build.rs file (
http://doc.crates.io/build-script.html) that serves the purpose of running
these custom tasks before the Cargo package manager builds the project.
Platforms where Swift projects with C-interop without easy access to a
system library Package manager includes Buildpacks (like to Heroku and
Bluemix) through Cloud Foundry.

I think that the current C-proposal that builds C code if it exists in a
properly structured project with a file structure hits a great niche that
can serve many use-cases that the C code is basically owned by the user
writing the Swift code. It is very similar functionally to the node-gyp
package. I have tested it in the latest SNAPSHOT 3-21 and it works very
well!

However, there are many libraries out there as you pointed out like libSSL
and libCurl that have more complex build steps. Given the current
C-proposal, these repositories such as libCurl would be needed to have a
full overhaul to their structure in order for SPM to build them. Even with
this overhaul, there would be no way to pass in arguments to the configure
script in libCurl in order to add in additional support for HTTP2 or SSL.

I have found a "hack" that can work in order to bring in a prebuilt library
for x86-64 Linux and Mac OS before the Swift build is run. It works by
checking the platform in the Package.swift file and copying the prebuilt
dynamic library to the .build/debug directory before kicking off a build.
This is not an elegant solution. It would not handle platforms that we did
not anticipate (like ARM, zOS, PowerPC, etc.) but since SPM will read the
Package.swift files through the dependency chain before actually calling
swiftc, this solution works. Here is the modulemap for libCurl and the
"post-clone" step:

https://github.com/IBM-Swift/CCurl-bin/

I think we still need to be careful, however not to try to recreate what
Ninja, CMake, Automake does. Also, not recreate what apt-get, yum, brew,
etc. is trying to achieve. Maybe if the Swift Package Manager had more
"hooks" such as post-clone, post-compile, etc. throughout the lifecycle of
the application build?
                                                                 
   Robert F. Dickerson, PhD                                      
   Software Engineer, Swift at IBM                                  
   Engineering                                                   
                                                                 






From:	swift-build-dev-request at swift.org
To:	swift-build-dev at swift.org
Date:	03/22/2016 11:58 AM
Subject:	swift-build-dev Digest, Vol 4, Issue 13
Sent by:	swift-build-dev-bounces at swift.org



Send swift-build-dev mailing list submissions to
		 swift-build-dev at swift.org

To subscribe or unsubscribe via the World Wide Web, visit
		 https://lists.swift.org/mailman/listinfo/swift-build-dev
or, via email, send a message with subject or body 'help' to
		 swift-build-dev-request at swift.org

You can reach the person managing the list at
		 swift-build-dev-owner at swift.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of swift-build-dev digest..."


Today's Topics:

   1. Re: How to depend on a specified Pre-release		 version of
      package with the Swift Package Manager (Max Howell)
   2. Re: [Discussion Starter] Package post-clone script (Max Howell)
   3. Re: [Discussion Starter] Package post-clone script (Honza Dvorsky)
   4. Re: [swift-evolution] Proposal Discussion Thread:		 SwiftPM:
      Locking and Overriding Dependencies (Kostiantyn Koval)
   5. Re: [swift-evolution] Proposal Discussion Thread: SwiftPM:
      Locking and Overriding Dependencies (Max Howell)
   6. Re: [swift-evolution] Proposal Discussion Thread: SwiftPM:
      Locking and Overriding Dependencies (Max Howell)
   7. Re: Proposal Discussion Thread: SwiftPM: Locking and
      Overriding Dependencies (Max Howell)
   8. Re: [Discussion Starter] Package post-clone script (Chris Bailey)


----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Mar 2016 11:10:02 -0700
From: Max Howell <max.howell at apple.com>
To: Kostiantyn Koval <konstantin.koval1 at gmail.com>
Cc: swift-build-dev at swift.org, Martha JP <jpmartha.jp at gmail.com>
Subject: Re: [swift-build-dev] How to depend on a specified
		 Pre-release		 version of package with the Swift
Package Manager
Message-ID: <179AFB3A-AF8D-4D1D-8774-F694DF1C5C85 at apple.com>
Content-Type: text/plain; charset="utf-8"

Strictly, we don’t really want people specifying such exact version
requirements in Package.swift, since it would be easy to forget and then be
trapped on a single version forever despite updates being available.

The lockfile proposal is more for this kind of restriction, but this is not
yet implemented (or approved).

However Kostiantyn’s suggestion should work, though you’ll need to specify
it as an inclusive range of the provided Version() twice.

> On Mar 21, 2016, at 2:36 AM, Kostiantyn Koval via swift-build-dev
<swift-build-dev at swift.org> wrote:
>
> Hi JPMartha,
>
> I think it should be possible to specify a dependency package with a
specific pre-release identifier in Manifest and swiftpm should fetch that
exact version.
> Example:
> Package(url: ""https://github.com/ikesyo/Himotoki.git <
http://github.com/ikesyo/Himotoki.git>",
>   versions: Version(1, 0, 0, prereleaseIdentifiers: “beta.1”)
>
> The swiftPM should fetch a package with v-1.0.0-beta-1 tag
>
>> On 21 Mar 2016, at 06:43, Martha JP via swift-build-dev
<swift-build-dev at swift.org <mailto:swift-build-dev at swift.org>> wrote:
>>
>> Hi, I'm JPMartha.
>>
>> I had filed an issue of the Swift Package Manager first.
>> But, I should have heard your feedback on my opinion beforehand.
>>
>> Please see the following:
>> https://bugs.swift.org/browse/SR-965 <
https://bugs.swift.org/browse/SR-965>
>>
>> I think it's unexpected behavior.
>> I'm curious to hear your feedback!
>>
>> Best regards,
>> JPMartha
>> _______________________________________________
>> swift-build-dev mailing list
>> swift-build-dev at swift.org <mailto:swift-build-dev at swift.org>
>> https://lists.swift.org/mailman/listinfo/swift-build-dev
>
> _______________________________________________
> swift-build-dev mailing list
> swift-build-dev at swift.org
> https://lists.swift.org/mailman/listinfo/swift-build-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/3571291e/attachment-0001.html
>

------------------------------

Message: 2
Date: Mon, 21 Mar 2016 11:19:40 -0700
From: Max Howell <max.howell at apple.com>
To: Honza Dvorsky <jan.dvorsky at me.com>
Cc: "swift-build-dev at swift.org" <swift-build-dev at swift.org>
Subject: Re: [swift-build-dev] [Discussion Starter] Package post-clone
		 script
Message-ID: <C52F9EDA-6859-44A5-95FC-F8A9CCB734F9 at apple.com>
Content-Type: text/plain; charset="utf-8"


> On Mar 19, 2016, at 10:55 AM, Honza Dvorsky via swift-build-dev
<swift-build-dev at swift.org> wrote:
>
> Hi All,
>
> today I was trying to investigate how to build a proper cross-platform
server-side Swift project and only use SwiftPM to do it. In particular, I
was interested in getting OpenSSL/libcurl working as a dependency (built
from source). The main reason is that currently the big Swift server
frameworks all require manual steps during deployment (running apt-get/brew
to install libcurl/openssl/others) and I am trying to get rid of these
manual steps, eventually only requiring a `swift build` and run.
>
> With the great initial work <
https://github.com/apple/swift-package-manager/pull/183> to support
building C-family packages in SwiftPM done by Ankit, I was able to have a
simple C package as a dependency, as advertised. However, the reality of
big cross-platform open source projects like OpenSSL and libcurl is that in
order to actually build it from source, a configure (or similar) script has
to be run to get the source code ready for compilation. And this is where I
got stuck.
>
> Thus I wanted to kick off a discussion of what approach of solving this
problem with SwiftPM should be. The simple solution, which I'm tentatively
proposing, is to have an optional "post-clone" script in the package's
repository. Then, the Package.swift would optionally contain a field for
the path to this script - and if present, it'd get run after SwiftPM clones
this package. Note that this would be a "post-clone" script, not a
"prebuild" script - I imagine it'd only run once when cloning and then only
after each clean.
>
> In order to get users to stop having to run manual script to install all
dependencies, I believe that we need to allow packages to declare what work
needs to be done on its source before compilation can begin.

I have a proposal I’d like to push today that adds knowledge to SwiftPM
about how to install system dependencies for System Module Packages.

We are not keen to add arbitrary script execution to SwiftPM, because: 1)
Arbitrary scripts cannot be controlled and this leads to dependency hell
and 2) arbitrary scripts mean your package graph may do anything, which
nobody wants.

Now I’m fine with the “root package” ie. the package the user has control
over doing more, but this would be a different discussion.

So the question becomes, is this sufficient? To have `brew install openssl`
run, or do you really need to install from source?

Max

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/e84bfa9f/attachment-0001.html
>

------------------------------

Message: 3
Date: Mon, 21 Mar 2016 18:38:14 +0000
From: Honza Dvorsky <jan.dvorsky at me.com>
To: Max Howell <max.howell at apple.com>
Cc: "swift-build-dev at swift.org" <swift-build-dev at swift.org>
Subject: Re: [swift-build-dev] [Discussion Starter] Package post-clone
		 script
Message-ID:

<CAJi4s=TSPC0tncHGOmZL6QbhirO0uG57BvtEWLdMnJ82T4zGCQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I personally don't like the idea of an arbitrary script either, it was just
the first obvious solution to a problem I believe needs solving. The
advantage of building from source even of these base dependencies is that
the exact version of system dependencies
- can be ensured to be the same version across platforms
- their version is part of the explicit dependency graph

Currently, AFAIR, installing Redis with homebrew and apt-get each produce a
different version, which IMO defeats the point of having a dependency
manager in the first place. But I guess if your proposal could ensure that
the same version is installed on all platforms, this particular problem
would be solved.

> So the question becomes, is this sufficient? To have `brew install
openssl` run, or do you really need to install from source?

I'm still not sure. Now I think your proposal will probably help with most
cases (which is a very good way to approach things), but definitely not
all. Imagine you yourself having a cross-platform C project which needs
platform configuring before compilation. Even when you're completely in
control, the fact that you still can't get this working is troubling. But
maybe I'm just inflating extremely uncommon usecases.

One more thing - consider two Swift packages each needing a different
version of OpenSSL. Does your proposal handle that case?

Anyway, I'd love to read your proposal and then re-evaluate whether I still
feel like there's a large enough benefit in introducing such customization
to SwiftPM :)

Honza

On Mon, Mar 21, 2016 at 6:19 PM Max Howell <max.howell at apple.com> wrote:

>
> On Mar 19, 2016, at 10:55 AM, Honza Dvorsky via swift-build-dev <
> swift-build-dev at swift.org> wrote:
>
> Hi All,
>
> today I was trying to investigate how to build a proper cross-platform
> server-side Swift project and only use SwiftPM to do it. In particular, I
> was interested in getting OpenSSL/libcurl working as a dependency (built
> from source). The main reason is that currently the big Swift server
> frameworks all require manual steps during deployment (running
apt-get/brew
> to install libcurl/openssl/others) and I am trying to get rid of these
> manual steps, eventually only requiring a `swift build` and run.
>
> With the great initial work
> <https://github.com/apple/swift-package-manager/pull/183> to support
> building C-family packages in SwiftPM done by Ankit, I was able to have a
> simple C package as a dependency, as advertised. However, the reality of
> big cross-platform open source projects like OpenSSL and libcurl is that
in
> order to actually build it from source, a configure (or similar) script
has
> to be run to get the source code ready for compilation. And this is where
I
> got stuck.
>
> Thus I wanted to kick off a discussion of what approach of solving this
> problem with SwiftPM should be. The simple solution, which I'm
tentatively
> proposing, is to have an optional "post-clone" script in the package's
> repository. Then, the Package.swift would optionally contain a field for
> the path to this script - and if present, it'd get run after SwiftPM
clones
> this package. Note that this would be a "post-clone" script, not a
> "prebuild" script - I imagine it'd only run once when cloning and then
only
> after each clean.
>
> In order to get users to stop having to run manual script to install all
> dependencies, I believe that we need to allow packages to declare what
work
> needs to be done on its source before compilation can begin.
>
>
> I have a proposal I’d like to push today that adds knowledge to SwiftPM
> about how to install system dependencies for System Module Packages.
>
> We are not keen to add arbitrary script execution to SwiftPM, because: 1)
> Arbitrary scripts cannot be controlled and this leads to dependency hell
> and 2) arbitrary scripts mean your package graph may do anything, which
> nobody wants.
>
> Now I’m fine with the “root package” ie. the package the user has control
> over doing more, but this would be a different discussion.
>
> So the question becomes, is this sufficient? To have `brew install
> openssl` run, or do you really need to install from source?
>
> Max
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/5717a2ac/attachment-0001.html
>

------------------------------

Message: 4
Date: Mon, 21 Mar 2016 21:12:47 +0100
From: Kostiantyn Koval <konstantin.koval1 at gmail.com>
To: Max Howell <max.howell at apple.com>
Cc: "swift-evolution at swift.org" <swift-evolution at swift.org>,
		 "swift-build-dev at swift.org" <swift-build-dev at swift.org>
Subject: Re: [swift-build-dev] [swift-evolution] Proposal Discussion
		 Thread:		 SwiftPM: Locking and Overriding Dependencies
Message-ID: <EF0A84B5-9C45-4979-A59F-94E8F52D533A at gmail.com>
Content-Type: text/plain; charset="utf-8"

I like the proposal.

I have 1 concern.
As a package author, like PromiseKit <https://github.com/mxcl/PromiseKit>
I often have a need to fix some of my dependencies and publish it to my
package users.

With the current proposal I can do it:
  - Advise it in README, which is not really a solution done by swift
package manager.
  - update Manifest.swift file. There is no convent way to do it now.

I would love to have some functionality to make it simpler for me to
specify (modify Manifest.swift or smt else) that Dependency X should:
  - use specific tag X
  - use commit X

But maybe that should be part of another proposal. The lock file would
perfectly solve the problems for developing projects that uses packages.

- Kostiantyn

> On 20 Mar 2016, at 06:07, Daniel Dunbar via swift-build-dev
<swift-build-dev at swift.org> wrote:
>
> My thoughts on this proposal:
>
> 1. I agree with some of the other comments that I would prefer the
version file be adjacent to "Package.swift". When the Packages directory
isn't being checked in, I really would like to think of it as an
"implementation detail" and not embed functionality inside it that would
make it hard to remove or change in the future.
>
> 2. I like VersionLocks.json well enough, but would like to see a
discussion about possible alternatives. My personal proposal (in line with
#1) is to use "PackageVersions.json" which has a nice agreement with
Package.swift and would mean two common metadata files show up adjacent. I
don't really want to bike shed on the name, but I suspect whatever we pick
first will last for a while so I would at least like to review the various
alternatives. I also will throw out that my personal opinion is we don't
need to pick a name that bears much resemblance with existing terminology,
whatever we pick will eventually become "the standard" for the SwiftPM
ecosystem so I would prefer to pick the most-descriptive-possible name up
front, not one that alludes to the same concept in other systems.
>
> 3. I like the terminology section here, I almost feel like we should
adopt that as official terminology in our documentation (which I don't
think we have yet, correct me if I am wrong).
>
> 4. I would like it if the lock file recorded the exact SHA it received,
and validate that when retrieving. This helps protect users against MITM
attacks or unexpected changes if an upstream modifies a tag. It also can be
used as part of safety checks when migrating to an alternate repository
host which is expected to have the same content.
>
> 5. The "workflow - build" sections #2,3,4 are rather complicated. Is this
because the proposal is trying to work with existing Packages layouts, or
because the proposal is trying to handle the various variations of what the
user may have checked in inside the Packages subdirectory?
>
> 6. I wonder if we should be defining, as Eloy alludes to, two different
things:
>  - The version lock file, which defines the expected versions for the
package manager to use when it is doing package resolution.
>  - The package state file (in Packages.swift), which is used by the
package manager to track information on the Packages/ subdir state in order
to provide useful features primarily focused at the scenarios when the user
is modifying those files.
> Currently it seems like a lot of the behaviors in the proposal are
focused at the latter case, but they feel like they should be decoupled
problems to me.
>
>  - Daniel
>
>> On Mar 17, 2016, at 11:23 AM, Max Howell via swift-evolution
<swift-evolution at swift.org <mailto:swift-evolution at swift.org>> wrote:
>>
>> The following is a draft proposal, feedback welcome.
>>
>> ____________
>> SwiftPM Dependency Version Locking
>> Proposal: SE-NNNN <
https://github.com/apple/swift-evolution/blob/master/proposals/NNNN-swiftpm-dependency-lockfiles.md
>
>> Author(s): Ankit Agarwal <https://github.com/aciidb0mb3r>, Max Howell <
https://github.com/mxcl>
>> Status: Discussion
>> Review manager: Rick Ballard
>> Introduction
>> This proposal seeks to declare a new, generated file
Packages/VersionLocks.json that describes the exact state of a package’s
dependency graph and then by default will be respected when executing most
package manager commands. Thus it is considered a “version lock” for a
package’s dependency sources.
>>
>> Swift-evolution thread <
https://lists.swift.org/pipermail/swift-build-dev/Week-of-Mon-20151214/000067.html
>
>> Terminology
>> A package refers to a published, versioned git repository designed to be
consumed as a dependency by SwiftPM.
>> A project refers to an end-user workspace that uses SwiftPM (via a
Package.swift and swift build) fetching and building packages as part of
its build
>> Describing this distinction is required because both the above have the
same form, but are used differently by an end-user. An end-user may publish
packages, but will eventually consume those packages in a project.
>>
>> As justification for this confusion, it is considered a feature that
projects can easily and trivially become packages when using SwiftPM.
Encouraging a vibrant packaging ecosystem is one of our goals.
>>
>> Motivation
>> In a vibrant packaging ecosystem, dependencies update continuously with
bug-fixes and new features. A development team needs:
>>
>> To ensure they are all using the same versions of their dependencies for
any given version-control commit.
>> Ensure they are all using the same versions of the underlying Swift
toolchain
>> Be able to override or modify dependency specifications for the whole
team for specific commits.
>> Currently with SwiftPM it is possible to fulfill 1. by committing the
sources of a package’s dependencies with the package itself, but this is
not always desirable. There is no way to achieve 2. and 3. with SwiftPM
alone.
>>
>> Additionally, there is not currently a way to know which version of
Swift a package requires to build. At this time this situation is
particularly precarious because Swift itself is not backwards compatible.
As a Swift developer at the very least recording which Swift version a
package was built with by the package developer is essential information in
order to assess a package's suitability. Practically the package manager
could in the future use this information to aid an end-user or even fix the
problem when packages fail to compile.
>>
>> Proposed Solution
>> A file: Packages/VersionLocks.json will be created alongside the
Package.swift file. Its contents will describe:
>>
>> The URL and versions of cloned dependencies
>> An inline diff of any local modifications made to those packages
relative to their pristine cloned states
>> The exact version of the Swift toolchain used as part of the last
successful build of the package
>> This file is generated by SwiftPM.
>>
>> This file should be checked-in with projects.
>>
>> This file is generated and should not be edited by users. If the file is
edited by users the behavior is undefined.
>>
>> This file should be checked-in with packages designed for consumption in
projects, however SwiftPM will not use the checkout files of dependencies
when determining a project’s dependency graph (this would make dependency
graphs much less likely to resolve due to overly strict versioning
requirements). In the future we may choose to make it possible for
end-users to attempt to build a package using all checkout files since in
certain deployment scenarios where an exact graph has already been tested,
this is a solid reliabiity feature.
>>
>> Any local, modifications made to the clones in Packages are recorded in
Packages/VersionLocks.json as part of the flow described in the next
section. Modifications here means: changes to git remotes and the git-ref
of the checked-out HEAD.
>>
>> Detailed Design
>> In a fresh clone that does not contain a Packages directory swift build
will determine the dependency graph, clone the packages into Packages and
generate a Packages/VersionLocks.json file.
>>
>> The user can now step into the Packages directory and modify package
sources. If the user then runs swift build again the package manager will
error out:
>>
>> error: dependency sources have been modified
>> execute `swift build --lock` or `swift build --ignore-lock`
>> It is an error to build against an unlocked dependency graph, but to
facilitate fixing bugs etc. an ignore flag can be specified.
>>
>> When swift build --lock is specified the package manager regenerates the
lockfile detailing the active git remote and the SHA that is checked-out.
>>
>> Every time swift build completes a build the lockfile is updated (if
necessary) recording the current version of the Swift toolchain that
achieved the build.
>>
>> Packages/VersionLocks.json
>>
>> The exact design of the contents of this file will be explored during
iterative development, but here is a possible example:
>>
>> json { "packages": [ { "clone": "Packages/PromiseKit-3.0.3", "origin": "
https://github.com/mxcl/PromiseKit <https://github.com/mxcl/PromiseKit>"
"ref": "3.0.3" }, { "clone": "Packages/Alamofire-1.2.3", "origin": "
https://github.com/a-fork-somewhere/Alamofire <
https://github.com/a-fork-somewhere/Alamofire>" "ref": "crucial-fix" },
{ "clone": "Packages/Quick-1.2.3", "origin": "
https://github.com/Quick/Quick <https://github.com/Quick/Quick>" "ref":
"1.2.3" } ] }
>>
>> Workflow — Regular Build
>>
>> User runs swift build
>> If Packages/ contains clones and a VersionLocks.jsonSwiftPM skips to 7.
>> If Packages/ contains clones and no VersionLocks.json the lockfile is
generated from the clones
>> If Packages/ contains checked out sources without git information and no
VersionLocks.json SwiftPM fetches the git information and provided there is
no diff, generates the Lockfile, if there is variation it is an error *
>> If Packages/VersionLocks.json is present its dependency graph is used
>> If Packages doesn't exist or is empty the dependency graph is resolved,
packages are cloned and the Lockfile is generated
>> Build, if Packages are missing because we skipped from 2. the build will
error, it is the user's responsibility to instruct SwiftPM to --update or
to fix their dependency graph some other way.
>>
>> This scenario is so users can check in their complete dependency sources
to their tree instead of / as well as the VersionLocks.json file: a
situation which sometimes is necessary if your dependencies are removed
from their third party online location, etc.
>>
>> Workflow — Making Modifications
>>
>> User makes local modification to a dependency’s sources
>> User runs swift build
>> swift build errors out.
>> User must either lock the graph or run with --ignore-lock
>> The error-out is likely to be considered tedious by users, however we
consider it important that users are made aware and forced to act when they
modify their dependencies and thus are exposing their team/users to
so-called “dependency hell”.
>>
>> Runing swift build --lock regenerates the lockfile, but does not build.
>>
>> Modifications must be committed. This means that if the modifications
are not uploaded to a location accessible to the rest of the team they will
fail to build when they update their checkouts.
>>
>> The package manager could check for this by asking git if the specified
origin has the current locked ref and error out as appropriate.
>>
>> Workflow — Overriding Packages
>>
>> User steps into a Package directory eg. Packages/Foo-1.2.3
>> User changes the origin of Foo to their own fork
>> User alters HEAD to point to a fix in their own fork
>> swift build errors out.
>> User must either lock the graph or run with --ignore-lock
>> Running swift build --lock regenerates the lockfile, the new origin and
tag is stored. Thus a fresh clone of this project would use these
overrides.
>>
>> It is important to note that this workflow will not be respected for
dependencies, only for projects.
>>
>> If a package author requires an override they have a few options:
>>
>> Change the Package.swift dependency specification. This should only be
done as a last resort, for example, a critical bug must be fixed in a
dependency and that dependency author is not being responsive. It is up to
the Package author to ensure this scenario goes well. SwiftPM itself wants
to guard against these conditions with our proposed “publish & lint” step
that validates such decisions before signing a published package tag. But
we are not there yet and thus package authors should be responsible.
>> Advise end-users in a package README that they should override the
dependency themselves.
>> 2 is preferred, but 1 will happen. We consider it our responsibility to
develop tooling that makes 1. safe or unnecessary, but we are not there
yet.
>>
>> Workflow — Updating Packages
>>
>> SwiftPM has no update mechanism yet, but once it does running swift
build --update will fetch the latest versions of all dependencies and
update the lockfile.
>>
>> Impact on existing code
>> This proposal will have no impact on existing code.
>>
>> Alternatives Considered
>> One alternative is to allow mentioning refs in manifest file while
declaring a dependency but as discussed in this <
http://markdownlivepreview.com/%22https://lists.swift.org/pipermail/swift-build-dev/Week-of-Mon-20151214/
> thread it might not be the best idea.
>>
>> Using Git submodules for this feature was considered. However something
additionally would be required to specify swift version and record local
diffs. Also this would lock us into git, and despite the fact that
currently we only use git, we have not yet ruled out supporting other
version control systems.
>>
>> _______________________________________________
>> swift-evolution mailing list
>> swift-evolution at swift.org <mailto:swift-evolution at swift.org>
>> https://lists.swift.org/mailman/listinfo/swift-evolution
>
> _______________________________________________
> swift-build-dev mailing list
> swift-build-dev at swift.org
> https://lists.swift.org/mailman/listinfo/swift-build-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/3f3452fe/attachment-0001.html
>

------------------------------

Message: 5
Date: Mon, 21 Mar 2016 15:57:49 -0700
From: Max Howell <max.howell at apple.com>
To: Kostiantyn Koval <konstantin.koval1 at gmail.com>
Cc: "swift-evolution at swift.org" <swift-evolution at swift.org>,
		 "swift-build-dev at swift.org" <swift-build-dev at swift.org>
Subject: Re: [swift-build-dev] [swift-evolution] Proposal Discussion
		 Thread: SwiftPM: Locking and Overriding Dependencies
Message-ID: <28D54CDA-9388-4938-B0AF-C895B54D9134 at apple.com>
Content-Type: text/plain; charset=us-ascii

>   - update Manifest.swift file. There is no convent way to do it now.

It is not convenient enough to edit it with a text editor and commit? Seems
pretty convenient to me.



------------------------------

Message: 6
Date: Mon, 21 Mar 2016 16:05:46 -0700
From: Max Howell <max.howell at apple.com>
To: Daniel Dunbar <daniel_dunbar at apple.com>
Cc: "swift-evolution at swift.org" <swift-evolution at swift.org>,
		 "swift-build-dev at swift.org" <swift-build-dev at swift.org>
Subject: Re: [swift-build-dev] [swift-evolution] Proposal Discussion
		 Thread: SwiftPM: Locking and Overriding Dependencies
Message-ID: <D2A832AB-4B07-418E-9D6F-32A76EF1EB58 at apple.com>
Content-Type: text/plain; charset="utf-8"

> 2. I like VersionLocks.json well enough, but would like to see a
discussion about possible alternatives. My personal proposal (in line with
#1) is to use "PackageVersions.json" which has a nice agreement with
Package.swift and would mean two common metadata files show up adjacent. I
don't really want to bike shed on the name, but I suspect whatever we pick
first will last for a while so I would at least like to review the various
alternatives. I also will throw out that my personal opinion is we don't
need to pick a name that bears much resemblance with existing terminology,
whatever we pick will eventually become "the standard" for the SwiftPM
ecosystem so I would prefer to pick the most-descriptive-possible name up
front, not one that alludes to the same concept in other systems.

I like PackageVersions.json
>
> 3. I like the terminology section here, I almost feel like we should
adopt that as official terminology in our documentation (which I don't
think we have yet, correct me if I am wrong).

We don’t, but I agree, we should aim to pick some names and use them
consistently.

> 4. I would like it if the lock file recorded the exact SHA it received,
and validate that when retrieving. This helps protect users against MITM
attacks or unexpected changes if an upstream modifies a tag. It also can be
used as part of safety checks when migrating to an alternate repository
host which is expected to have the same content.

Good point, this should be there.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.swift.org/pipermail/swift-build-dev/attachments/20160322/cbece9b1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <https://lists.swift.org/pipermail/swift-build-dev/attachments/20160322/cbece9b1/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <https://lists.swift.org/pipermail/swift-build-dev/attachments/20160322/cbece9b1/attachment-0001.gif>


More information about the swift-build-dev mailing list