diff options
| author | Ngô Ngọc Đức Huy <huyngo@disroot.org> | 2021-06-21 22:34:08 +0700 | 
|---|---|---|
| committer | Ngô Ngọc Đức Huy <huyngo@disroot.org> | 2021-06-21 22:34:08 +0700 | 
| commit | 65cbe24948eed00d2a013828832bdff0f50534eb (patch) | |
| tree | d945abd6aeeddc0b5720c09d4d970bd2ce72d9fb /content/posts | |
| parent | 576342d50a409e90c83bfb86afbca78c16d19e93 (diff) | |
| download | blog-65cbe24948eed00d2a013828832bdff0f50534eb.tar.gz | |
Update post
Diffstat (limited to 'content/posts')
| -rw-r--r-- | content/posts/2021-06-21-ipwhl-update.md | 156 | 
1 files changed, 156 insertions, 0 deletions
| diff --git a/content/posts/2021-06-21-ipwhl-update.md b/content/posts/2021-06-21-ipwhl-update.md new file mode 100644 index 0000000..6b5e423 --- /dev/null +++ b/content/posts/2021-06-21-ipwhl-update.md @@ -0,0 +1,156 @@ +--- +title: "[Update] IPWHL: Maybe the real cheeses are the packages we helped along +the way" +date: 2021-06-21 +categories: [blog, update] +tags: [update, ipwhl, python, packaging] +--- + +So, according to a [recent announcement][ipwhl-annonce] in the mailing list, I +now co-maintain the [IPWHL][ipwhl] project, also known as *Floating Cheeses* +(I prefer the latter for it being more playful and pronounceable, but IPWHL is +just quicker to type). So, I feel obliged to provide a more thorough +introduction. + +[ipwhl-annonce]: https://lists.sr.ht/~cnx/ipwhl-announce/%3CCC8HUR1YAFDL.YHJBG1SM70WE%40nix%3E +[ipwhl]: https://sr.ht/~cnx/ipwhl/ + +# Les Cheeses + +In short, IPWHL is a PyPI alternative (though, initially the package database +would be collected from there). What it provides: + +- Decentralization +- Security +- Reproducibility + +## Decentralization + +IPWHL uses [IPFS][ipfs] for storing packages. This provides several +advantages: + +- No single point of failure +- Easy to mirror +- Faster download thanks to P2P + +As there have been several incidents of PyPI outages, this is a strong reason +to use our cheeses. + +[ipfs]: https://ipfs.io/ + +## Security + +No single point of failure is a security feature itself, but besides that, +IPWHL also is more secure because: + +- We have CIDs and we cryptographically sign the packages thanks to merkle dag +- We avoid packaging packages that are typosquat attacks + +## Reproducibility + +IPWHL has a pre-resolved dependency and its packaging strategy is similar to +NixOS, a distro known for its reproducibility. The installer can uses the CID +and the package name to reproduce exactly the package. + +# Current problems + +Despite the theoretical advantages, IPWHL is a new project and thus has several +problems + +## Lack of packages + +A distribution doesn't mean anything without packages, and IPWHL is indeed in +need of them. +As of the time I am writing this (2021-06-21), there are less than 100 packages +declared in the database. + +Introducing more packages would lead to maintenance problem: we cannot, as two +sole maintainers, keep up with too many packages and make sure they're all +up-to-date. Therefore, please, come help us if you're interested in this +project. + +## Dependency Hell + +Maybe you've heard of `npm install is-even` meme, if you hang out in some +programming meme groups. It represents an underlying problem of having too +many packages depending on each other. PyPI is saner, I would say, but it does +have that problem. + + +*(Image Attribution[^0])* + +I would even say if the package dependency were like the above illustration, it +would be simple. In reality, *circular dependency* makes it impossible to +declare one package without declaring the other, which can be demonstrated by +this tensegrity shape: + + +*(I drew this!)* + +Or, in some cases, such as for `tox`, it can even be like this: + + +*(Image attribution[^3])* + +# How to help + + +*(Image Attribution[^1])* + +Due to mentioned problems, it is critical for the project to have contribution. +To start, please take a look at [the manual page][ipwhl-man] + +[ipwhl-man]: https://man.sr.ht/~cnx/ipwhl/guides/contrib.md + +## Help declaring packages information + +Currently, the packages with high priority is listed here: + +https://todo.sr.ht/~cnx/ipwhl/5 + +## Write docs + +User and contribution manuals are not really clearly written, and some +information are scattered across the [mailing lists][lists]. You can help by +compile them into a comprehensive structured manual. + +[lists]: https://sr.ht/~cnx/ipwhl/lists + +## Help resolving dependency conflicts + +> *Maybe the real cheeses are the packages we helped along the way* + +Some packages cannot be in its latest version, due to some constraints. + +A case in point is `Sphinx`, which depends on `docutils` and `docutils-stubs`. +The latest version for `docutils` is 0.17.1, but so far the latest version for +`docutils-stubs` depends on specifically 0.14 versions. Due to this conflicts, +you can only install `docutils 0.14`. + +Therefore, you can help developing and packaging [docutils-stubs][stub] so we +can have newer packages on IPWHL + +[stub]: https://github.com/tk0miya/docutils-stubs + +[^0]: Original XKCD comics: <https://xkcd.com/2347/>, shared under a CC-BY-NC + 2.5 License. + + Transcript retrieved (with some edits) from ExplainXKCD: + <https://explainxkcd.com/wiki/index.php/2347:_Dependency>, shared under a + CC-BY-SA 3.0 License. +[^1]: Scene cropped from *Rick and Morty*, a show by *Adult Swim*: + <https://www.youtube.com/watch?v=SdsJDLSI_Mo> +[^3]: Image retrieved from WikiMedia, authored by QuarterNotes: + <https://commons.wikimedia.org/wiki/File:Icosahedral_tensegrity_structure.png>, + shared under a CC-BY-SA 4.0 License | 
