Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JRFC 19 - Let's Stop Installing Packages #19

Open
jbenet opened this issue Jun 19, 2014 · 23 comments
Open

JRFC 19 - Let's Stop Installing Packages #19

jbenet opened this issue Jun 19, 2014 · 23 comments

Comments

@jbenet
Copy link
Owner

jbenet commented Jun 19, 2014

Today's paradigm includes installing software. It's really silly, having to go find a particular package, and then download it manually. Our package managers should just make the code available. If it can be found in the registry, it should be importable in the code.

How?

Easy, mount the registry:

/npm/<module-name>/<version>

Or, in my world:

/ipns/npmjs.org/<module-name>@<version>

Concerns

What about Security? is this safe!?

Security is not about installing software X at time Y, but about checking integrity (hash the code) and authenticity (sign the code). This could be done on import, every single time you run the code, which would be much safer than just hoping all your files are the same as when you last looked at them. You did look at all the modules you imported, right? You are sure that foobar module you used doesn't actually open a back door, right?

But what about production? Will I have to randomly download modules?

Not at all, things will be cached locally, and just make sure things stay local, why not pin them?

> mounted-npm pin module-i-care-about

Basically, make your "mounted registry" save things locally that you're going to use regularly. (IPFS will do this for you).

But, maybe I want to version lock?

And you should! Lock your local files to exactly the modules you want:

> echo [email protected] >> modules-i-want
> echo [email protected] >> modules-i-want
> cat modules-i-want | mounted-npm lock
> mounted-npm ls
[email protected]
[email protected]
@jbenet jbenet mentioned this issue Jun 19, 2014
Closed
@jbenet
Copy link
Owner Author

jbenet commented Jun 19, 2014

@groundwater you'll want this in NodeOS, i think :) -- give me two weeks and IPFS may be stable enough for it.

@groundwater
Copy link

This is kind of like a lazy install of modules.

I'm also interested in what things we can dream up when file-systems and mounts are easy and safe to hack on. Kinda like FUSE, but without the constant segfaults 😄

@jbenet
Copy link
Owner Author

jbenet commented Jun 19, 2014

Kinda like FUSE, but without the constant segfaults

FUSE gives you segfaults!? I've yet to see this-- perhaps I'll run into it shortly. Is this osx or linux?

@groundwater
Copy link

It gives me segfaults because I'm causing them. Basically I'm a shitty FUSE developer =]

@mlovci
Copy link

mlovci commented Jun 19, 2014

http://xkcd.com/1367/

@jbenet
Copy link
Owner Author

jbenet commented Jun 19, 2014

@mlovci precisely. The divide between web and fs is really stupid and it's time to end it. We don't do http requests on ever file open, and with good reason. Need a better protocol :)

@jbenet
Copy link
Owner Author

jbenet commented Jun 19, 2014

@groundwater try fuse4js? shouldn't be able to segfault :)

@groundwater
Copy link

Retrieving and caching content is pretty straight forward. How would you deal with directory listing?

@jbenet
Copy link
Owner Author

jbenet commented Jun 19, 2014

@groundwater I wouldn't. Don't list root (-r+x on dir). Do list under keywords/, author/<username>/, etc.

@groundwater
Copy link

Would you use FUSE?

@jbenet
Copy link
Owner Author

jbenet commented Jun 19, 2014

More like, i will use FUSE ;)

@groundwater
Copy link

Too bad we can't just patch the fs module.

@jbenet
Copy link
Owner Author

jbenet commented Jun 24, 2014

For @mikolalysenko:

Below, it could easily be foo@version or foo/version. I'm opting for foo@version because i like it more. You can also keep the node_modules/ but i took it out below. Con

/ipns/npmjs.org/package/[email protected]
/ipns/npmjs.org/package/[email protected]
/ipns/npmjs.org/package/[email protected] 
/ipns/npmjs.org/package/[email protected]/[email protected]  (same object as .../[email protected] above)
/ipns/npmjs.org/package/[email protected] 
/ipns/npmjs.org/package/[email protected]/[email protected] (same as .../[email protected])
/ipns/npmjs.org/package/[email protected]/[email protected] (same as .../[email protected])
/ipns/npmjs.org/package/[email protected]/[email protected] (same as .../[email protected])

@jbenet
Copy link
Owner Author

jbenet commented Jun 24, 2014

cc @mafintosh and @maxogden

@mafintosh
Copy link

@jbenet wouldn't I need to list the /ipns/npmjs.org/package (which can be HUGE) to match a semver using the above approach?

@jbenet
Copy link
Owner Author

jbenet commented Jun 24, 2014

@mafintosh where match here means resolve something like >=1.2.3 ? Ah, then maybe we do want name/version in top level:

/ipns/npmjs.org/package/foo/1.0.0
/ipns/npmjs.org/package/foo/1.0.1
/ipns/npmjs.org/package/bar/1.0.0/foo@>=1.0.0  # only needs to list /ipns/npmjs.org/package/foo/
/ipns/npmjs.org/package/baz/1.0.0/foo@^1.0.1

@mafintosh
Copy link

Yes this makes it a lot easier :) I would probably also not include sub dependencies. I don't really see the benefit of having them.

@jbenet
Copy link
Owner Author

jbenet commented Jun 24, 2014

@mafintosh we get subdependencies for free.

/ipns/npmjs.org/package/foo/1.0.0
/ipns/npmjs.org/package/bar/1.0.0                         
/ipns/npmjs.org/package/bar/1.0.0/foo@>=1.0.0
/ipns/npmjs.org/package/bork/1.0.0/bar@>=1.0.0  
# \o this resolves to bar/1.0.0 above, which already has foo@>=1.0.0

content-addressed deduplication :) !

@mafintosh
Copy link

Nice!!

@jonathanmarvens
Copy link

Random stranger stopping by to say that these are awesome thoughts :) .

@jbenet

- Jonathan

@silky
Copy link

silky commented Jul 11, 2014

check the nix package managed and nixos - http://nixos.org/ - https://nixos.org/nix/

@jbenet jbenet mentioned this issue Jul 26, 2014
Closed
@jbenet jbenet mentioned this issue Sep 20, 2014
Open
@jbenet jbenet changed the title Let's Stop Installing Packages JRFC 19: Let's Stop Installing Packages Apr 17, 2015
@jbenet jbenet changed the title JRFC 19: Let's Stop Installing Packages JRFC 19 - Let's Stop Installing Packages Apr 17, 2015
@davidar davidar mentioned this issue Aug 14, 2015
Closed
@jbenet jbenet mentioned this issue Mar 23, 2016
Closed
@BillDStrong
Copy link

Why would this only be at that layer?

If you want to go that route, create a Linux distro that mounts IPFS early enough in the chain, then symlink all the normal filenames to IPNS addresses that always have the latest released version. Instant always up to date system.

@burdges
Copy link

burdges commented Jun 4, 2016

You need reproducible builds to do this securely, along with Guix or NixOS tool for keeping package options straight.

@hackergrrl hackergrrl mentioned this issue May 12, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@silky @jbenet @mafintosh @groundwater @burdges @jonathanmarvens @mlovci @BillDStrong