jakstys.lt/content/log/2022/dependencies.md

172 lines
8.3 KiB
Markdown
Raw Normal View History

2022-04-23 07:40:29 +03:00
---
2022-04-26 05:28:53 +03:00
title: "Dependencies, zig and git-subtrac"
2022-04-23 07:40:29 +03:00
date: 2022-04-23T05:37:51+03:00
2022-04-26 05:28:53 +03:00
# FIXME: "slug: dependencies" doesn't do what I meant.
2022-04-26 05:31:03 +03:00
url: 2022/dependencies
2022-04-26 05:28:53 +03:00
draft: true
# FIXME: 'list: never' keeps the link in the feed
#_build:
# list: never
2022-04-23 07:40:29 +03:00
---
2022-04-26 05:19:02 +03:00
<!-- o_ -->
2022-04-26 19:31:24 +03:00
TLDR: Modern programming languages make it very easy to add many dependencies.
2022-04-24 09:39:56 +03:00
That is nice for development, but a nightmare for maintenance. Unfortunately,
zig is following suit. I wish we could accept that adding dependencies does not
have to be trivial. If we accept that, thanks to ubiquity of git, we may have
almost solved the dependency problem.
2022-04-23 16:41:58 +03:00
Adding dependencies
-------------------
2022-04-26 19:31:24 +03:00
All of the programming languages I've used professionally, the names of which do not
start with "c"[^1], have package managers[^2], which make "dependency
2022-04-24 09:39:56 +03:00
management" easy. These package managers will, as part of the project's build
2022-04-26 05:09:10 +03:00
process, download and build the dependencies, which makes adding and using
2022-04-24 09:39:56 +03:00
third-party dependencies easy.
Because C/C++ still does not have a universal package manager, not adding
2022-04-26 05:09:10 +03:00
external dependencies to C/C++ is the path of least resistance; instead, one
relies on libraries already installed in the system. Therefore, there is a
2022-04-26 19:31:24 +03:00
plethora of dependency managers that will discover but not install
dependencies: autotools, cmake, pkg-config, and others. As a result, C/C++
projects I've participated in usually had 0-5 non-system dependencies, whereas
non-C/C++ projects -- tens, hundreds, or thousands[^3]. Having many system
2022-04-26 05:09:10 +03:00
dependencies is painful for *every user* of the package (because they have to
make sure the libraries, and their correct versions, are installed), so C/C++
projects avoid having too many of them.
2022-04-24 09:39:56 +03:00
Not doing things that are easy to do requires discipline: brushing teeth,
limiting candy intake, not adding dependencies all over the place. If it is
easy to add dependencies and there is no discipline not doing so, the project
will gain a lot of dependency "weight" with time.
2022-04-26 05:31:03 +03:00
{{<img src="_/2022/brick-house.jpg"
2022-04-24 09:39:56 +03:00
alt="House made out of Duplo pieces"
caption="Just like this brick house, \"modern\" package managers are optimized for building, not maintenance. Photo mine, house by my sons."
hint="photo"
2022-04-24 06:45:41 +03:00
>}}
2022-04-23 16:41:58 +03:00
2022-04-26 19:31:24 +03:00
In Go and Python, a small number of dependencies is often a sign of care and
2022-04-24 09:39:56 +03:00
quality. [mattn/go-sqlite3](https://github.com/mattn/go-sqlite3),
[uber/zap](https://github.com/uber-go/zap),
[apenwarr/redo](https://github.com/apenwarr/redo) and
2022-04-26 19:31:24 +03:00
[django](https://djangoproject.com) are good examples. I've built and used
these projects in a number of environments without issues. Conversely, projects
with many dependencies often fail to build even in the environment they are
developed and at and thus had received most testing (e.g. a specific
OS+architecture, like `Ubuntu 16.04 x86_64`). It's even worse to do on a
non-standard environment, no matter how trivially different (e.g. they would
build on Ubuntu 16.04, but fail on Ubuntu 18.04), not to mention a different
OS. This, obviously, leads to both user frustation, packagers' frustation, and
developer long-term frustration and costs.
2022-04-24 09:39:56 +03:00
The costs of just having dependencies are huge. I haven't done a survey and
have only my experience to base this on (read: "many anecdotes of me failing to
build stuff I wrote a decade ago"). But it is bad enough that I have a
2022-04-26 05:09:10 +03:00
dependency checklist and am prepared to do the grunt work to save my future
self. Here is it:
1. Does the dependency do what I want, does it work at all?
2. Is it well written? API surface, documentation, tests, error handling, error
signaling, logging, metrics, memory usage (if applicable).
2022-04-26 19:31:24 +03:00
3. How easy is it to build, run, and run it's tests? Related: can it be used
2022-04-26 05:09:10 +03:00
outside the default package manager?
4. It's system dependencies.
5. It's transitive dependencies.
Assuming a "programming-language-specific package manager that does what it's
advertised to do", the path of least resistance, when it comes to this
checklist, is doing (1), and perhaps (2). Why bother with transitive
dependencies or it's build complexity, if the package manager will take care of
it all anyway?
Except it will only when you are adding it. Package manager will not help you
2022-04-26 19:31:24 +03:00
when the dependency disappears, its API changes, it stops doing what it has
2022-04-26 05:09:10 +03:00
advertised and many other [problems][crash-of-leftpad].
I am trying to do all 5. If a dependency is well written, but has more
transitive dependencies than I need and there is no good alternative, I will
fork and trim it. My recent example is
2022-04-23 07:40:29 +03:00
[sql-migrate](https://github.com/motiejus/sql-migrate).
2022-04-24 09:39:56 +03:00
To sum up, the "modern" languages optimize for initial development experience,
2022-04-26 19:31:24 +03:00
not maintenance. And as [Corbet says][linux-rust], "We can't understand why
2022-04-24 09:39:56 +03:00
Kids These Days just don't want to live that way". Kids want to build, John,
not maintain. A 4-letter Danish corporation made a fortune by selling toys that
do not need to be maintained: they are designed to be disassembled and built
2022-04-26 05:09:10 +03:00
anew. We are still kids. Growing up requires discipline, which is very hard,
when candy is cheap and package managers (and disks and network, which make all
of it possible) are as good as they are today.
2022-04-24 09:39:56 +03:00
2022-04-23 07:40:29 +03:00
If I may combine Corbet's views with mine: if we understand and audit our
2022-04-26 05:09:10 +03:00
dependencies (all of them, including transitive ones), we will have less
dependencies and a more maintainable system. Win-win.
2022-04-23 07:40:29 +03:00
Which brings us to...
2022-04-26 05:09:10 +03:00
git-subtrac
-----------
[`git-subtrac`][git-subtrac] manages our git dependencies (in our git
repository) just like "classic" git submodules, but all refs of the
dependencies stay in the same repository. Wait, stop here. Repeat after me: _it
is git submodules, but all refs stay in the same repository_. I also call it
"good vendoring". Since all the deps are in our repo, no external force can
make our dependency unavailable, change without notice. And it will keep the
size of the repository in check, because it's all there when you pull it.
Because `git-subtrac` is a vendoring tool, not a package manager, it only
2022-04-26 19:31:24 +03:00
vendors but does not help building packages. Therefore, with `git-subtrac` it
2022-04-26 05:09:10 +03:00
is harder to add and "make work" (build, test, add transitive deps) a
dependency than with a language-specific package manager. Oh, what about the
transitive dependencies?
2022-04-23 07:40:29 +03:00
[`git-subtrac`][git-subtrac] does not deal with transitive dependencies. At
least not directly. Or I am not aware of it. Ok, I haven't tried.
2022-04-26 05:09:10 +03:00
If we audit and thus understand our dependencies, we will be able to add the
transitive ones. So perhaps git-subtrac shouldn't care?
What about Zig?
---------------
2022-04-23 07:40:29 +03:00
2022-04-26 05:09:10 +03:00
Zig will have a package manager ([ziglang/zig#943][943]). I am not not very
enthusiastic about it; can we all use git-subtrac and be done with it?. A few
weeks ago in a park in Milan my conversation with [Andrew
Kelley](https://andrewkelley.me/) was something like:
2022-04-24 09:39:56 +03:00
- me: "git-subtrac yadda yadda yadda submodules but better yadda yadda yadda".
2022-04-26 19:31:24 +03:00
- Andrew: "If I clone a repository that uses it with no extra parameters, will
2022-04-24 09:39:56 +03:00
it work as expected?"
2022-04-26 19:31:24 +03:00
- me: "No, you have to pass `--recursive`, so git will checkout submodules...
2022-04-24 09:39:56 +03:00
even if they are already fetched."
2022-04-26 19:31:24 +03:00
- Andrew: "Then it's a piece-of-shit-approach."
2022-04-24 09:39:56 +03:00
Uh, I agree. People have not grown muscle memory to clone repositories with
`--recursive` flag and never will, so it's impossible to adopt git-subtrac
beyond well-controlled silos. Which is why we will have a
2022-04-26 05:09:10 +03:00
yet-another-programming-language-specific-package-manager. Or at least my
argument for using and advertising `git-subtrac` (and saving a lot of time for
2022-04-26 19:31:24 +03:00
Zig folks, and a lot of inevitable misery for its users) stops right there.
2022-04-24 09:39:56 +03:00
2022-04-23 07:40:29 +03:00
Conclusion
----------
2022-04-26 05:09:10 +03:00
Can git check out submodules when they are in the same repository, so our
conversation of reconsidering (or not having) a Zig package manager doesn't
2022-04-23 16:41:58 +03:00
stop after 5 seconds?
2022-04-24 09:39:56 +03:00
[^1]: Alphabetically: Erlang, Go, Java, Javascript, PHP, Perl, Python.
2022-04-23 16:41:58 +03:00
[^2]: Usually written in the same language. Zoo of package managers (sometimes
a couple of popular ones for the same programming language) is a can of worms
in an on itself worth another blog post.
2022-04-26 19:31:24 +03:00
[^3]: `go.sum` of a project I am currently involved in clocks around 6k lines.
2022-04-24 09:39:56 +03:00
This is quite a lot for Go, but still peanuts to Node.js.
2022-04-23 07:40:29 +03:00
[git-subtrac]: https://github.com/apenwarr/git-subtrac/
[linux-rust]: https://lwn.net/SubscriberLink/889924/a733d6630e3b5115/
2022-04-26 05:09:10 +03:00
[crash-of-leftpad]: https://drewdevault.com/2021/11/16/Cash-for-leftpad.html
[943]: https://github.com/ziglang/zig/issues/943