reiz | 12 years ago
reiz's comments
reiz | 12 years ago
You will laugh. That was my first title. I showed the article around, 2 days ago, and a good friend of my told me: "You need a more provocant title!".
reiz | 12 years ago
Nils Adermann just confirmed that. I updated the blog post and the info graphic.
reiz | 12 years ago
Well. You are right. Next time I will pick my words more carefully.
reiz | 12 years ago
That's true. That's the disadvantage of that system.
If there would be a language agnostic package manager, would you use it?
reiz | 12 years ago
Good point. My next package manager after Maven was Bundler/RubyGems. And it was enlightening. I don't use so much PyPI, but I heard that the core commuters are working on a big refactoring.
reiz | 12 years ago
I didn't felt attacked. I appreciate feedback ;-)
And you are right. The choice of a language is just a choice.
Dependency definition in native code is always a security vulnerability, because by resolving the dependencies you execute unknown code, specially if the packages are not signed.
I could for example publish a python package on PyPI with a setup.py which contains code to delete files on your hard disk. At the moment my setup.py gets executed on your machine you will lose some files. Something like that can not happen with JSON, XML or YML.
reiz | 12 years ago
Good point! I will blog more about that. I think there is a reason for that, why there are so many build tools out there in the Java ecosystem. Obviously there is no clear winner and the people are not satisfied with the current status.
reiz | 12 years ago
Very good point. I didn't took that into the article because these package managers are all build for 1 single language. But I totally get your point. A language agnostic package manager, or at least a language agnostic repository with a clear defined API, would be awesome! The clients could still be different for each language, to handle language specific problems, but the repository server could be the same.
reiz | 12 years ago
I didn't know that with the git hash. That's a good point! What I like on NPM is that they use JSON for defining the dependencies and that the packages are by default not installed globally. NPM and Bundler are different in some ways, but in general they do both a good job.
reiz | 12 years ago
In the first version of the chart I had column for "XML". But it didn't looked good, because there was only 1 candidate for XML and that was Maven. That's why I dropped it again.
Beside that I think that XML is kind of overkill for dependency management. JSON is just fine, much smaller and easy to read.
Having the dependency definition in native code (Python, Groovy, whatever) is not a good decision, in my opinion, because that's a source for security vulnerabilities.
reiz | 12 years ago
Good point. I will take that thought into the next blog post. The next blog post will cover CPAN and Nuget, too.
reiz | 12 years ago
I'm sorry for that. But I'm getting every day requests for Bower, CocoaPods and Nuget. I don't get so many requests for CPAN. But It's on my radar and I will update the blog post somewhere this year.
reiz | 12 years ago
Thanks for the hint. I really didn't know that. I will update the blog post with my new knowledge. One point more for Bundler/RubyGems :-)
reiz | 12 years ago
I have read that blog post a couple days before. To sad. I think the people don't sign their Gems because it's some extra work and developers are lazy. I bet the artifacts in Maven are only signed because it's mandatory. You can not submit a unsigned artefact to search.maven.org. They will decline it. But in the intranets of many companies their are a lot of self hosted Maven Repositories and believe me, nobody is signing the Jars their!
If we want to have more security in the Ruby community then there is only one way. RubyGems has to decline every unsigned Gem. Signing Gems must be mandatory.
reiz | 12 years ago
Yes. That's what I meant.
reiz | 12 years ago
Actually I'm using in my daily work more Bundler and Maven. But I'm anyway a big fan of NPM.
reiz | 12 years ago
I talked to many C devs, and they all use some kind of linux native package managers. For example apt-get or yum or RPM.
reiz | 12 years ago
But the mirror posted their doesn't work for me. I get always a Forbidden message: http://mirror1.prod.rhcloud.com/mirror/ruby/. Or is it just me?
reiz | 12 years ago
Maybe I was not clear enough on that point. Of course Lein is using a Maven Repository as backend. But the official Clojure Repository is not search.maven.org it is https://clojars.org. And there is no Mirror of clojars.org. Of course it's possible to mirror it, because it's a Maven Repo. But currently nobody is doing that.
But I still think that the initial publishing on Maven Central is more difficult then it should be. Pretty much every other package is doing a better Job on publishing. It took me less then a minute to publish my very first Ruby Gem. But it took me 1 week to publish my very first Jar file on the Maven Central.
Clojars is doing better.