<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">+1 for Ankit’s general idea. Details of the proposal aside, I’ll say from experience with bundler that it’s immensely useful — a lifesaver! — to know the exact version of the dependencies another author was using. This has saved my neck more than once.</div><div class=""><br class=""></div><div class="">IMO it’s useful to have a lock file checked in even for libraries — just not pushed forward to client projects. You still want to know what versions the library’s tests last passed against, both for CI and for diagnosing downstream breakage.</div><div class=""><br class=""></div><div class="">-1 to this:</div><div class=""><br class=""></div><div class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><div class=""><div class=""><div class=""><span class="" style="font-family: Helvetica, arial, sans-serif; font-size: 14px;">[The] lock file will only be re-modified by </span><code class="" style="font-size: 14px; margin: 0px 2px; padding: 0px 5px; white-space: nowrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;">$ swift build</code><span class="" style="font-family: Helvetica, arial, sans-serif; font-size: 14px;"> if</span> <code class="" style="font-size: 14px; margin: 0px 2px; padding: 0px 5px; white-space: nowrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;">Package.swift</code><span class="" style="font-family: Helvetica, arial, sans-serif; font-size: 14px;"> is modified by the user.</span></div><div class=""><code class="" style="font-size: 14px; margin: 0px 2px; padding: 0px 5px; white-space: nowrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;">$ swift build</code><span class="" style="font-family: Helvetica, arial, sans-serif; font-size: 14px;"> always ignores the lock file and uses local state of Packages dir / </span><code class="" style="font-size: 14px; margin: 0px 2px; padding: 0px 5px; white-space: nowrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;">Package.swift</code></div><div class=""><code class="" style="margin: 0px; padding: 0px; border: none; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;">…</code></div><div class=""><span class="">To lock the current state of Packages user can run </span><span class="" style="font-family: Helvetica, arial, sans-serif; font-size: 14px;"> </span><code class="" style="font-size: 14px; margin: 0px 2px; padding: 0px 5px; white-space: nowrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;">$ swift build --lock</code></div></div></div></div></div></div></blockquote></div></div><blockquote type="cite" class=""><blockquote type="cite" class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><div class=""><div class=""><div class=""><div class=""></div></div></div></div></div></div></div></blockquote></div></div></blockquote></blockquote></div><div class=""><br class=""></div><div class="">A couple of problems with that:</div><div class=""><br class=""></div><div class="">(1) Package.swift can specify a version range. You may want to update to the latest patch release without actually modifying Package.swift. I agree with Thomas: there should be a command to update dependencies to the latest matching version. This command should also be able update a single dependency:</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space: pre;">        </span>swift build --update SomePackage</div><div class=""><br class=""></div><div class="">(2) I don’t like the idea of the build system running in two separate modes, where sometimes the lock file is ignored and sometimes takes precedence. (If there’s a desire to run in an “unlocked” mode, how about it just doesn't generate the .lock if not already present, and always uses it if it is present?) In practice, though, I’ve found the bundler model works quite well: always generate .lock if absent, always use the locked version if present, and use a separate command to update the locked version.</div><div class=""><br class=""></div><div class="">Cheers,</div><div class=""><br class=""></div><div class="">Paul</div><br class=""><div><blockquote type="cite" class=""><div class="">On Dec 20, 2015, at 9:51 AM, Thomas Guthrie via swift-evolution <<a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Personally, I’d be more in favour of having something similar to Cargo (Rust’s package/crate manager):</div><div class=""><br class=""></div><div class="">1. `swift build`</div><div class=""><br class=""></div><div class="">Almost the same as it is now, expect if there’s no Package.lock it creates one and subsequent builds use the same dependencies.</div><div class=""><br class=""></div><div class="">2. `swift build --update` or maybe eventually `swift update`</div><div class=""><br class=""></div><div class="">Updates the dependencies in Package.lock to their newest versions and writes them to disk. It should probably build the project as well but possibly makes less sense if its `swift update`.</div><div class=""><br class=""></div><div class="">Similar to Bundler and Cargo you’d check in your Package.lock for app projects and ignore it for library projects.</div><div class=""><br class=""></div><div class="">I’m not really sure what their motivation was for having a lock file always created, it definitely favours “app” projects heavily, but I’ve been messing around with Rust recently and it works pretty well honestly. Maybe there’s a way of making the experience better when the package is solely a library? Personally, if you’re developing a library and `swift build` updates a dependency that breaks everything it’s probably better to know then, whereas with an app you probably want to be working to a lock file and checking what happens when you update dependencies individually.</div><div class=""><br class=""></div><div class="">As for the format of Package.lock, I think it might have to be more complicated than shown to be able to handle the possibility of multiple versions of a dependency etc? Haven’t had a chance to mess around with swiftpm enough yet to say though.</div><div class=""><br class=""></div><div class="">(/end ramble of first thoughts)</div><div class="">
<br class="Apple-interchange-newline"><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">— Thomas</span>
</div>
<br class=""><div class=""><blockquote type="cite" class=""><div class="">On 20 Dec 2015, at 09:01, Ankit Agarwal via swift-evolution <<a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><h1 style="margin-right:0px;margin-bottom:10px;margin-left:0px;padding:0px;font-size:28px;font-family:Helvetica,arial,sans-serif;margin-top:0px!important" class="">Lock File for Swift Package Manager</h1><h2 style="margin:20px 0px 10px;padding:0px;font-size:24px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(204,204,204);font-family:Helvetica,arial,sans-serif" class="">Introduction</h2><p style="margin:15px 0px;font-family:Helvetica,arial,sans-serif;font-size:14px" class="">A <code style="margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">Package.lock</code> file containing list of resolved dependencies generated by swiftpm.</p><h2 style="margin:20px 0px 10px;padding:0px;font-size:24px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(204,204,204);font-family:Helvetica,arial,sans-serif" class="">Motivation</h2><p style="margin:15px 0px;font-family:Helvetica,arial,sans-serif;font-size:14px" class=""><code style="margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">Package.lock</code> file can be helpful in situations like : </p><div class=""><h3 style="margin:20px 0px 10px;padding:0px;font-size:18px;font-family:Helvetica,arial,sans-serif" class="">Reproduce exact versions of dependencies on different machine</h3></div>* Multiple developers working on a package would want to use the exact versions (including minor and patch) of the dependencies declared in the manifest file<div class="">* Also helpful when a build is being performed on a remote machine eg CI <br class=""><div class=""><div class=""><h3 style="margin:20px 0px 10px;padding:0px;font-size:18px;font-family:Helvetica,arial,sans-serif" class="">Pointing a dependency to an untagged commit</h3></div><div class="">Sometimes it might be helpful to lock a dependency to a particular commit ref for which a tagged version is unavailable in cases such as :</div><div class=""><br class=""></div><div class="">* Forking a 3rd party library and making it swiftpm compatible for temporary use until officially supported by the author</div><div class="">* Package is in active development and not ready for a release tag</div><div class=""><h2 style="margin:20px 0px 10px;padding:0px;font-size:24px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(204,204,204);font-family:Helvetica,arial,sans-serif" class="">Proposed Solution</h2><p style="margin:15px 0px;font-family:Helvetica,arial,sans-serif;font-size:14px" class="">swiftpm generates a simple <code style="margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">Package.lock</code> file after resolving the dependency graph for that package in some simple format.</p></div><div class=""><h2 style="margin:20px 0px 10px;padding:0px;font-size:24px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(204,204,204);font-family:Helvetica,arial,sans-serif" class="">Detailed Design</h2><div class="">1. Initial<code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">$ swift build</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> resolves the dependency graph and generates a </span><code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">Package.lock</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> file similar to :</span></div><div class=""><pre style="font-size:13px;white-space:pre-wrap;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(204,204,204);line-height:19px;overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class=""><code style="margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">ssh://<a href="http://github.com/foo/bar" class="">github.com/foo/bar</a> "v1.2.3"
<a href="http://github.com/foo/baz" class="">http://github.com/foo/baz</a> "v1.0.0"
../local/git/repo "v3.4.4"
</code></pre></div><div class=""><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class="">lock file will only be re-modified by </span><code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">$ swift build</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> if</span> <code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">Package.swift</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> is modified by the user.</span></div><div class=""><code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">$ swift build</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> always ignores the lock file and uses local state of Packages dir / </span><code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">Package.swift</code></div><div class=""><code style="margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class=""><br class=""></code></div><div class=""><span style="font-family:Helvetica,arial,sans-serif;font-size:14px;background-color:transparent" class="">2. User modifies the cloned packages in Packages dir and when satisfied with the current code of the dependency, commits and pushes it.</span></div><div class=""><span style="background-color:transparent" class="">To lock the current state of Packages user can run </span><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> </span><code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">$ swift build --lock</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> which might result something similar to </span></div><div class=""><div class=""><pre style="font-size:13px;white-space:pre-wrap;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(204,204,204);line-height:19px;overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class=""><code style="margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">ssh://<a href="http://github.com/foo/bar" class="">github.com/foo/bar</a> "248441ff375a19c4365d00d6b0706e11173074f6"
<a href="http://github.com/foo/baz" class="">http://github.com/foo/baz</a> "v1.0.0"
../local/git/repo "v3.4.4"
</code></pre></div></div><div class=""><span style="font-family:Helvetica,arial,sans-serif;font-size:14px;background-color:transparent" class="">the lock file is committed into the package repo for others to use.</span><br class=""></div><div class=""><span style="font-family:Helvetica,arial,sans-serif;font-size:14px;background-color:transparent" class=""><br class=""></span></div><div class=""><font face="Helvetica, arial, sans-serif" class=""><span style="font-size:14px" class="">3. A command like </span></font><code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">$ swift build --bootstrap</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> will always use the lock file to fetch and checkout the dependencies.</span></div><div class=""><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class="">This is useful because running </span><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> </span><code style="font-size:14px;margin:0px 2px;padding:0px 5px;white-space:nowrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px" class="">$ swift build</code><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""> might give a higher patch or minor version of the dependency.</span></div><div class=""><span style="font-family:Helvetica,arial,sans-serif;font-size:14px" class=""><br class=""></span></div><div class=""><div style="font-size:13px" class="">4. If some dependency depends on commit hash (ie non-tagged commit) the author mentions that in their readme and the end user and maybe other parallel dependencies will have to use only that commit hash in order to avoid dependency hell.</div></div><div class=""><br class=""></div><div class="">5. Allow declaring a dependency without versions in the manifest file for user wanting to use a untagged dependency. This should probably only be allowed in debug configuration.</div><h2 style="margin:20px 0px 10px;padding:0px;font-size:24px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(204,204,204);font-family:Helvetica,arial,sans-serif" class="">Impact on existing code</h2><div class="">None as this would be additional functionality to swift package manager</div><div class=""><h2 style="margin:20px 0px 10px;padding:0px;font-size:24px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(204,204,204);font-family:Helvetica,arial,sans-serif" class="">Alternatives Considered</h2></div></div><div class="">One alternative is to allow mentioning refs in manifest file while declaring a dependency but as discussed in <a href="https://lists.swift.org/pipermail/swift-build-dev/Week-of-Mon-20151214/000067.html" class="">this</a> thread it might not be the best idea.<br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class="gmail_signature">Ankit<br class=""></div></div>
</div></div></div>
<img src="https://u2002410.ct.sendgrid.net/wf/open?upn=Zar6ynBlzujkeVlpaavlQNZIAgaw3wAYlAtcron3qg1RDV0kVmGnN0cQ7yCfy0zjbsp-2BCkvOHWp3k2As9Rn-2FgUFZw4s86N2ukOyJDx7-2Ba6fSXlvvaHtmUsALVfoUrKZ7ZJ8FZtFfrtBfGVe-2B1FPSjUFQ3xaoe8rJMRjdEf9CBZKaOX4YsdiOnPima7aKsJ9ze8WkkEk0TIDVx5l8elKKShVaEx4c9w2T1BCACMa3Bqw-3D" alt="" width="1" height="1" border="0" style="height:1px !important;width:1px !important;border-width:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-right:0 !important;margin-left:0 !important;padding-top:0 !important;padding-bottom:0 !important;padding-right:0 !important;padding-left:0 !important;" class="">
_______________________________________________<br class="">swift-evolution mailing list<br class=""><a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a><br class=""><a href="https://lists.swift.org/mailman/listinfo/swift-evolution" class="">https://lists.swift.org/mailman/listinfo/swift-evolution</a><br class=""></div></blockquote></div><br class="">
<img src="https://u2002410.ct.sendgrid.net/wf/open?upn=zCg-2FSGF9Wk188a6c55kLyEbrj7YhaXxFEHM-2F-2B0YAlzVLMVR-2FbpAm4-2FoCCYzSr-2BKV0QVynagSiTz1XMZMfYskm44kaHHyVeH-2F3RipMqb2AahMqyGtYIci7EECxe1sg6pBSgHjG-2BqNogYD2EmzZc1-2BUccYt3xEUm9hMe0YoablI-2Bls0mflHdDY5toJGcHGmZs6Zh69dIYerbPWBp1bR8RJq-2FYfuM1eCg6JV22Z1BDfpDo-3D" alt="" width="1" height="1" border="0" style="height:1px !important;width:1px !important;border-width:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-right:0 !important;margin-left:0 !important;padding-top:0 !important;padding-bottom:0 !important;padding-right:0 !important;padding-left:0 !important;" class="">
</div>
_______________________________________________<br class="">swift-evolution mailing list<br class=""><a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a><br class="">https://lists.swift.org/mailman/listinfo/swift-evolution<br class=""></div></blockquote></div><br class=""></body></html>