Exactly. Given enough interest, we could also make a more formal review
process for a future SDL based format to ensure a maximum chance of a
solid, forward compatible format.

Of my former list mentioned in the VisualD thread [1], only package
signing is really still missing, but that's probably not mission
critical for now. The command line build process also needs to be
improved one way or another at some point (mostly caching pre-compiled
dependencies), but that also isn't really a strong argument anymore.

All in all I'd say that the things that are in the package format [2] by
now form a pretty solid basis to move forward without worrying too much
about future breakage.

[1]: http://forum.rejectedsoftware.com/groups/rejectedsoftware.vibed/post/79
[2]: http://code.dlang.org/package-format

On Wed, 11 Sep 2013 21:10:46 +0800
----------------------------
{
"name": "myproject",
"description": "A little web service of mine.",
"authors": ["Peter Parker", "Joe Contrib"],

"dependencies": {
"vibe-d": ">=0.7.11",
"mylib:component1": "~master",
"mylib:component2": "~master"
},

"subPackages": [
{
"name": "component1",
"targetType": "library",
"sourcePaths": ["source/component1"]
},
{
"name": "component2",
"targetType": "library",
"sourcePaths": ["source/component2"]
}
]
}
----------------------------

vs:

----------------------------
name "myproject",
description "A little web service of mine."
authors "Peter Parker" "Joe Contrib"

dependencies {
vibe-d ">=0.7.11"
mylib:component1 "~master"
mylib:component2 "~master"
}

subPackage {
name "component1"
targetType "library"
sourcePaths "source/component1"
}

subPackage {
name "component2"
targetType "library"
sourcePaths "source/component2"
}
----------------------------

That's why.

Besides, the JSON form wouldn't be going away anyway, it'd still be
kept.

I've added two enhancement requests for this:

https://github.com/rejectedsoftware/dub/issues/117
https://github.com/rejectedsoftware/dub-registry/issues/14

How many total downloads would be nice as well. In RubyGems there are
often similar packages and it can be hard to choose which to use. Example:

* bootstrap-will_paginate. 257 475 downloads

* will_paginate-bootstrap. 84 776 downloads

Obviously I'm going to choose the one with most downloads, if there are
any critical differences.

On Wednesday, 11 September 2013 at 06:28:30 UTC, S?nke Ludwig
Simple idea: try to build the package via current DMD. If
compilation false then the package too old (or we have DMD
regression). So, it would be nice to have package autotester like
for DMD/Phobos repositories.

Just use Travis CI, or similar. Unfortunately Travis CI currently only
supports Linux and Mac OS X. It doesn't support multiple platforms for a
single project.

http://travis-ci.org

On Wednesday, 11 September 2013 at 08:51:30 UTC, Jacob Carlborg
You cannot include anything you do not have the legal right to
include. I.E no copyright violations, no child porn software etc.
It seems obvious, but it does need to be stated and is a standard
part of any terms and conditions related to hosting and
distribution.
Yes, but if the latest version the package is known to work with
is more than 3 years old, it would be desirable to have that kept
away from the up to date packages.

I'm thinking this type of package manager should be a development tool
as well. But there are a lot of development tools that are executables
and not just libraries. Think of your documentation generator. Without
having looked at it I would assume it's an executable. I have myself a
tool, DStep, which translate C headers to D modules. This is an
executable as well.
I'm not referring to uploading zip packages. Say I have ten tags but I
only want dub to know about five of them. I want to manually say "make
the tag v0.0.1 available".
Yes, but I still don't like the default. To avoid misunderstandings,
will the dub, by default _both_ build an executable _and_ a library. Or
will it build an executable _or_ a library?
It's possible to import images, video, audio and many other type of
resources as well using string imports.
Yes, I was thinking the same.
Hmm ok. I would go with two separate tools that are well integrated with
each other.

BTW, neither "dub generate rdmd" or "dub generate build" seems to be
working.
I don't want to care about indirect dependencies. That's the job of the
package manager. If I need to keep track of indirect dependencies then
the package manager isn't helping much.
I might only control the "myproject" package.
I think this should be the default. I don't want my package to break at
random just because there's a newer version available of an indirect
dependency.

I think that a key feature of a package manager should be that any time
in time you're installing a package of a given version should result in
the _exact_ same packages, including indirect packages.
Any update, may it only be security fixes, may break a build. No,
semantic versions doesn't help here. Locking down by default is the safest.

If the package maintainer doesn't release an update how will you get
security updates?

It's better if there's an explicit way to update an indirect dependency.

I would rather add "bar": "==0.0.2" on one or two packages to force an
update of an indirect dependency rather then set "bar:" "==0.0.1" on
_all_ indirect dependency. This can be quite a large tree if there are
many dependencies.

At work we have a Ruby on Rails project. It currently uses 160 packages,
including Rails and all its sub components. It was pure hell before
"bundler" was released which locks down all package dependencies as I've
described here. Counting all indirect dependencies as well I get over
413 packages. Would you like to specify the exact version of all these?

Saying that "bundler" was a salvation for the Ruby community is an
understatement.

When we get a new employee or a new computer we want, of course, to have
the _exact_ same packages we use on all the other development machines
and the ones in production. Otherwise we cannot ensure that everything
is working the same way on our development machines as on the production
machines.

Hey, just adding a new production machine we could end up with different
packages before. Pure nightmare.

Whoa, no. Application/executable install management as a goal would be a
ridiculously bad idea.
Because that would sit at the wrong abstraction level. The OS package
manager should not be tied to a particular language to compile packages
from. Does it makes any sense to have to use D's package manager if my
cmd-line util is written in D, but if I have a C++ or Go derived
executable, I would have to use a different package manager for each?
And what if I want my tool to depend (at runtime) on an executable
generated from another language? Devise a mechanism for
cross-package-manager interoperaction?...
Ridiculous. An application/executable manager should be language
agnostic (and not even require compilation).

What dub should be first and foremost is a structured build tool (and
build specification) for D projects.

No, I completely agree. But there are a lot of developer tools that are
executables. They are used by developers just as dub is. It doesn't need
to be integrated with the native package manager. Just install it in a
directory and put it in the PATH.

I think AUR (Arch Linux Repository) model is very successful one
and worth paying attention to when it comes to source packages.
Other than voting it also has `out-of-date` flagging by users
which helps to noticed abandoned packages fast. There is also
small group of trusted users who processes requests for package
ownership transfer / package merging via mail list. Any
suspicious / malicious package get processed in a similar way.
Other than that it is very anarchic environment and still works
damn well - AUR package count is now more than 40 000 and Arch
Linux is pretty young distro.