From 65cbe24948eed00d2a013828832bdff0f50534eb Mon Sep 17 00:00:00 2001 From: Ngô Ngọc Đức Huy Date: Mon, 21 Jun 2021 22:34:08 +0700 Subject: Update post --- .build.yml | 31 ------ content/posts/2021-06-21-ipwhl-update.md | 156 +++++++++++++++++++++++++++++++ static/images/begging-for-help.png | Bin 0 -> 687351 bytes static/images/tensegrity.png | Bin 0 -> 62637 bytes static/images/xkcd-dependency.png | Bin 0 -> 53882 bytes 5 files changed, 156 insertions(+), 31 deletions(-) delete mode 100644 .build.yml create mode 100644 content/posts/2021-06-21-ipwhl-update.md create mode 100644 static/images/begging-for-help.png create mode 100644 static/images/tensegrity.png create mode 100644 static/images/xkcd-dependency.png diff --git a/.build.yml b/.build.yml deleted file mode 100644 index 28e650d..0000000 --- a/.build.yml +++ /dev/null @@ -1,31 +0,0 @@ -image: debian/bullseye -oauth: pages.sr.ht/PAGES:RW -sources: - - https://git.sr.ht/~sircmpwn/openring - - https://git.disroot.org/huyngo/conlang -packages: - - golang - - hugo -environment: - site: huyngo.srht.site -tasks: -- install: | - cd openring - go build -o openring - sudo cp openring /usr/local/bin/ -- embed: | - cp -r conlang/src $site/content/conlang - cd $site/content/conlang - mv index.md _index.md - sed "s/\//_/g" SUMMARY.md | sed "s/\._/.\//g" | sed "s/.md/\//g" | grep -v "Introduction" >> _index.md - rm SUMMARY.md - ../../preprocess.sh - find -type f | grep "sh$" | xargs rm -- package: | - cd $site - ./create-webring.sh - hugo --baseURL="https://huyngo.srht.site" - cd public - tar -cvz . > ../../site.tar.gz -- upload: | - acurl -f https://pages.sr.ht/publish/$site -Fcontent=@site.tar.gz diff --git a/content/posts/2021-06-21-ipwhl-update.md b/content/posts/2021-06-21-ipwhl-update.md new file mode 100644 index 0000000..6b5e423 --- /dev/null +++ b/content/posts/2021-06-21-ipwhl-update.md @@ -0,0 +1,156 @@ +--- +title: "[Update] IPWHL: Maybe the real cheeses are the packages we helped along +the way" +date: 2021-06-21 +categories: [blog, update] +tags: [update, ipwhl, python, packaging] +--- + +So, according to a [recent announcement][ipwhl-annonce] in the mailing list, I +now co-maintain the [IPWHL][ipwhl] project, also known as *Floating Cheeses* +(I prefer the latter for it being more playful and pronounceable, but IPWHL is +just quicker to type). So, I feel obliged to provide a more thorough +introduction. + +[ipwhl-annonce]: https://lists.sr.ht/~cnx/ipwhl-announce/%3CCC8HUR1YAFDL.YHJBG1SM70WE%40nix%3E +[ipwhl]: https://sr.ht/~cnx/ipwhl/ + +# Les Cheeses + +In short, IPWHL is a PyPI alternative (though, initially the package database +would be collected from there). What it provides: + +- Decentralization +- Security +- Reproducibility + +## Decentralization + +IPWHL uses [IPFS][ipfs] for storing packages. This provides several +advantages: + +- No single point of failure +- Easy to mirror +- Faster download thanks to P2P + +As there have been several incidents of PyPI outages, this is a strong reason +to use our cheeses. + +[ipfs]: https://ipfs.io/ + +## Security + +No single point of failure is a security feature itself, but besides that, +IPWHL also is more secure because: + +- We have CIDs and we cryptographically sign the packages thanks to merkle dag +- We avoid packaging packages that are typosquat attacks + +## Reproducibility + +IPWHL has a pre-resolved dependency and its packaging strategy is similar to +NixOS, a distro known for its reproducibility. The installer can uses the CID +and the package name to reproduce exactly the package. + +# Current problems + +Despite the theoretical advantages, IPWHL is a new project and thus has several +problems + +## Lack of packages + +A distribution doesn't mean anything without packages, and IPWHL is indeed in +need of them. +As of the time I am writing this (2021-06-21), there are less than 100 packages +declared in the database. + +Introducing more packages would lead to maintenance problem: we cannot, as two +sole maintainers, keep up with too many packages and make sure they're all +up-to-date. Therefore, please, come help us if you're interested in this +project. + +## Dependency Hell + +Maybe you've heard of `npm install is-even` meme, if you hang out in some +programming meme groups. It represents an underlying problem of having too +many packages depending on each other. PyPI is saner, I would say, but it does +have that problem. + +![xkcd comics "Dependency": +A tower of blocks is shown. The upper half consists of many tiny blocks +balanced on top of one another to form smaller towers, labeled: +"All modern digital infrastructure" +The blocks rest on larger blocks lower down in the image, finally on a +single large block. This is balanced on top of a set of blocks on the left, +and on the right, a single tiny block placed on its side. This one is +labeled: A project some random person in Nebraska has been thanklessly +maintaining since 2003](/images/xkcd-dependency.png "Such dependency, wow") +*(Image Attribution[^0])* + +I would even say if the package dependency were like the above illustration, it +would be simple. In reality, *circular dependency* makes it impossible to +declare one package without declaring the other, which can be demonstrated by +this tensegrity shape: + +![A tensegrity structure](/images/tensegrity.png +"Remove any part and it's broken") +*(I drew this!)* + +Or, in some cases, such as for `tox`, it can even be like this: + +![A tensegrity icosahedron made from straws and string](https://upload.wikimedia.org/wikipedia/commons/5/5d/Icosahedral_tensegrity_structure.png "I don't even know how this work") +*(Image attribution[^3])* + +# How to help + +![Rick from *Rick and Morty* dancing and singing "I'm begging for +help"](/images/begging-for-help.png "I hope adult swim don't sue me for +this.") +*(Image Attribution[^1])* + +Due to mentioned problems, it is critical for the project to have contribution. +To start, please take a look at [the manual page][ipwhl-man] + +[ipwhl-man]: https://man.sr.ht/~cnx/ipwhl/guides/contrib.md + +## Help declaring packages information + +Currently, the packages with high priority is listed here: + +https://todo.sr.ht/~cnx/ipwhl/5 + +## Write docs + +User and contribution manuals are not really clearly written, and some +information are scattered across the [mailing lists][lists]. You can help by +compile them into a comprehensive structured manual. + +[lists]: https://sr.ht/~cnx/ipwhl/lists + +## Help resolving dependency conflicts + +> *Maybe the real cheeses are the packages we helped along the way* + +Some packages cannot be in its latest version, due to some constraints. + +A case in point is `Sphinx`, which depends on `docutils` and `docutils-stubs`. +The latest version for `docutils` is 0.17.1, but so far the latest version for +`docutils-stubs` depends on specifically 0.14 versions. Due to this conflicts, +you can only install `docutils 0.14`. + +Therefore, you can help developing and packaging [docutils-stubs][stub] so we +can have newer packages on IPWHL + +[stub]: https://github.com/tk0miya/docutils-stubs + +[^0]: Original XKCD comics: , shared under a CC-BY-NC + 2.5 License. + + Transcript retrieved (with some edits) from ExplainXKCD: + , shared under a + CC-BY-SA 3.0 License. +[^1]: Scene cropped from *Rick and Morty*, a show by *Adult Swim*: + +[^3]: Image retrieved from WikiMedia, authored by QuarterNotes: + , + shared under a CC-BY-SA 4.0 License diff --git a/static/images/begging-for-help.png b/static/images/begging-for-help.png new file mode 100644 index 0000000..34cca3c Binary files /dev/null and b/static/images/begging-for-help.png differ diff --git a/static/images/tensegrity.png b/static/images/tensegrity.png new file mode 100644 index 0000000..edf69e2 Binary files /dev/null and b/static/images/tensegrity.png differ diff --git a/static/images/xkcd-dependency.png b/static/images/xkcd-dependency.png new file mode 100644 index 0000000..e07722d Binary files /dev/null and b/static/images/xkcd-dependency.png differ -- cgit 1.4.1