[Discussion Starter] Package post-clone script (Robert F. Dickerson)


(Robert F Dickerson) #1

I think that a post-clone script or similar functionality could be very
useful. There are other systems language communities also recognize the
need for such support to enhance the build process in some fashion. For
example, Rust/Cargo has its build.rs file (
http://doc.crates.io/build-script.html) that serves the purpose of running
these custom tasks before the Cargo package manager builds the project.
Platforms where Swift projects with C-interop without easy access to a
system library Package manager includes Buildpacks (like to Heroku and
Bluemix) through Cloud Foundry.

I think that the current C-proposal that builds C code if it exists in a
properly structured project with a file structure hits a great niche that
can serve many use-cases that the C code is basically owned by the user
writing the Swift code. It is very similar functionally to the node-gyp
package. I have tested it in the latest SNAPSHOT 3-21 and it works very
well!

However, there are many libraries out there as you pointed out like libSSL
and libCurl that have more complex build steps. Given the current
C-proposal, these repositories such as libCurl would be needed to have a
full overhaul to their structure in order for SPM to build them. Even with
this overhaul, there would be no way to pass in arguments to the configure
script in libCurl in order to add in additional support for HTTP2 or SSL.

I have found a "hack" that can work in order to bring in a prebuilt library
for x86-64 Linux and Mac OS before the Swift build is run. It works by
checking the platform in the Package.swift file and copying the prebuilt
dynamic library to the .build/debug directory before kicking off a build.
This is not an elegant solution. It would not handle platforms that we did
not anticipate (like ARM, zOS, PowerPC, etc.) but since SPM will read the
Package.swift files through the dependency chain before actually calling
swiftc, this solution works. Here is the modulemap for libCurl and the
"post-clone" step:

https://github.com/IBM-Swift/CCurl-bin/

I think we still need to be careful, however not to try to recreate what
Ninja, CMake, Automake does. Also, not recreate what apt-get, yum, brew,
etc. is trying to achieve. Maybe if the Swift Package Manager had more
"hooks" such as post-clone, post-compile, etc. throughout the lifecycle of
the application build?
                                                                 
   Robert F. Dickerson, PhD
   Software Engineer, Swift@IBM
   Engineering

···

From: swift-build-dev-request@swift.org
To: swift-build-dev@swift.org
Date: 03/22/2016 11:58 AM
Subject: swift-build-dev Digest, Vol 4, Issue 13
Sent by: swift-build-dev-bounces@swift.org

Send swift-build-dev mailing list submissions to
     swift-build-dev@swift.org

To subscribe or unsubscribe via the World Wide Web, visit
     https://lists.swift.org/mailman/listinfo/swift-build-dev
or, via email, send a message with subject or body 'help' to
     swift-build-dev-request@swift.org

You can reach the person managing the list at
     swift-build-dev-owner@swift.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of swift-build-dev digest..."

Today's Topics:

   1. Re: How to depend on a specified Pre-release version of
      package with the Swift Package Manager (Max Howell)
   2. Re: [Discussion Starter] Package post-clone script (Max Howell)
   3. Re: [Discussion Starter] Package post-clone script (Honza Dvorsky)
   4. Re: [swift-evolution] Proposal Discussion Thread: SwiftPM:
      Locking and Overriding Dependencies (Kostiantyn Koval)
   5. Re: [swift-evolution] Proposal Discussion Thread: SwiftPM:
      Locking and Overriding Dependencies (Max Howell)
   6. Re: [swift-evolution] Proposal Discussion Thread: SwiftPM:
      Locking and Overriding Dependencies (Max Howell)
   7. Re: Proposal Discussion Thread: SwiftPM: Locking and
      Overriding Dependencies (Max Howell)
   8. Re: [Discussion Starter] Package post-clone script (Chris Bailey)

----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Mar 2016 11:10:02 -0700
From: Max Howell <max.howell@apple.com>
To: Kostiantyn Koval <konstantin.koval1@gmail.com>
Cc: swift-build-dev@swift.org, Martha JP <jpmartha.jp@gmail.com>
Subject: Re: [swift-build-dev] How to depend on a specified
     Pre-release version of package with the Swift
Package Manager
Message-ID: <179AFB3A-AF8D-4D1D-8774-F694DF1C5C85@apple.com>
Content-Type: text/plain; charset="utf-8"

Strictly, we don’t really want people specifying such exact version
requirements in Package.swift, since it would be easy to forget and then be
trapped on a single version forever despite updates being available.

The lockfile proposal is more for this kind of restriction, but this is not
yet implemented (or approved).

However Kostiantyn’s suggestion should work, though you’ll need to specify
it as an inclusive range of the provided Version() twice.

On Mar 21, 2016, at 2:36 AM, Kostiantyn Koval via swift-build-dev <swift-build-dev@swift.org> wrote:

Hi JPMartha,

I think it should be possible to specify a dependency package with a

specific pre-release identifier in Manifest and swiftpm should fetch that
exact version.

Example:
Package(url: ""https://github.com/ikesyo/Himotoki.git <

http://github.com/ikesyo/Himotoki.git>",

  versions: Version(1, 0, 0, prereleaseIdentifiers: “beta.1”)

The swiftPM should fetch a package with v-1.0.0-beta-1 tag

On 21 Mar 2016, at 06:43, Martha JP via swift-build-dev <swift-build-dev@swift.org <mailto:swift-build-dev@swift.org>> wrote:

Hi, I'm JPMartha.

I had filed an issue of the Swift Package Manager first.
But, I should have heard your feedback on my opinion beforehand.

Please see the following:
https://bugs.swift.org/browse/SR-965 <

https://bugs.swift.org/browse/SR-965>

I think it's unexpected behavior.
I'm curious to hear your feedback!

Best regards,
JPMartha
_______________________________________________
swift-build-dev mailing list
swift-build-dev@swift.org <mailto:swift-build-dev@swift.org>
https://lists.swift.org/mailman/listinfo/swift-build-dev

_______________________________________________
swift-build-dev mailing list
swift-build-dev@swift.org
https://lists.swift.org/mailman/listinfo/swift-build-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/3571291e/attachment-0001.html

------------------------------

Message: 2
Date: Mon, 21 Mar 2016 11:19:40 -0700
From: Max Howell <max.howell@apple.com>
To: Honza Dvorsky <jan.dvorsky@me.com>
Cc: "swift-build-dev@swift.org" <swift-build-dev@swift.org>
Subject: Re: [swift-build-dev] [Discussion Starter] Package post-clone
     script
Message-ID: <C52F9EDA-6859-44A5-95FC-F8A9CCB734F9@apple.com>
Content-Type: text/plain; charset="utf-8"

On Mar 19, 2016, at 10:55 AM, Honza Dvorsky via swift-build-dev <swift-build-dev@swift.org> wrote:

Hi All,

today I was trying to investigate how to build a proper cross-platform

server-side Swift project and only use SwiftPM to do it. In particular, I
was interested in getting OpenSSL/libcurl working as a dependency (built
from source). The main reason is that currently the big Swift server
frameworks all require manual steps during deployment (running apt-get/brew
to install libcurl/openssl/others) and I am trying to get rid of these
manual steps, eventually only requiring a `swift build` and run.

With the great initial work <

https://github.com/apple/swift-package-manager/pull/183> to support
building C-family packages in SwiftPM done by Ankit, I was able to have a
simple C package as a dependency, as advertised. However, the reality of
big cross-platform open source projects like OpenSSL and libcurl is that in
order to actually build it from source, a configure (or similar) script has
to be run to get the source code ready for compilation. And this is where I
got stuck.

Thus I wanted to kick off a discussion of what approach of solving this

problem with SwiftPM should be. The simple solution, which I'm tentatively
proposing, is to have an optional "post-clone" script in the package's
repository. Then, the Package.swift would optionally contain a field for
the path to this script - and if present, it'd get run after SwiftPM clones
this package. Note that this would be a "post-clone" script, not a
"prebuild" script - I imagine it'd only run once when cloning and then only
after each clean.

In order to get users to stop having to run manual script to install all

dependencies, I believe that we need to allow packages to declare what work
needs to be done on its source before compilation can begin.

I have a proposal I’d like to push today that adds knowledge to SwiftPM
about how to install system dependencies for System Module Packages.

We are not keen to add arbitrary script execution to SwiftPM, because: 1)
Arbitrary scripts cannot be controlled and this leads to dependency hell
and 2) arbitrary scripts mean your package graph may do anything, which
nobody wants.

Now I’m fine with the “root package” ie. the package the user has control
over doing more, but this would be a different discussion.

So the question becomes, is this sufficient? To have `brew install openssl`
run, or do you really need to install from source?

Max

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/e84bfa9f/attachment-0001.html

------------------------------

Message: 3
Date: Mon, 21 Mar 2016 18:38:14 +0000
From: Honza Dvorsky <jan.dvorsky@me.com>
To: Max Howell <max.howell@apple.com>
Cc: "swift-build-dev@swift.org" <swift-build-dev@swift.org>
Subject: Re: [swift-build-dev] [Discussion Starter] Package post-clone
     script
Message-ID:

<CAJi4s=TSPC0tncHGOmZL6QbhirO0uG57BvtEWLdMnJ82T4zGCQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I personally don't like the idea of an arbitrary script either, it was just
the first obvious solution to a problem I believe needs solving. The
advantage of building from source even of these base dependencies is that
the exact version of system dependencies
- can be ensured to be the same version across platforms
- their version is part of the explicit dependency graph

Currently, AFAIR, installing Redis with homebrew and apt-get each produce a
different version, which IMO defeats the point of having a dependency
manager in the first place. But I guess if your proposal could ensure that
the same version is installed on all platforms, this particular problem
would be solved.

So the question becomes, is this sufficient? To have `brew install

openssl` run, or do you really need to install from source?

I'm still not sure. Now I think your proposal will probably help with most
cases (which is a very good way to approach things), but definitely not
all. Imagine you yourself having a cross-platform C project which needs
platform configuring before compilation. Even when you're completely in
control, the fact that you still can't get this working is troubling. But
maybe I'm just inflating extremely uncommon usecases.

One more thing - consider two Swift packages each needing a different
version of OpenSSL. Does your proposal handle that case?

Anyway, I'd love to read your proposal and then re-evaluate whether I still
feel like there's a large enough benefit in introducing such customization
to SwiftPM :slight_smile:

Honza

On Mon, Mar 21, 2016 at 6:19 PM Max Howell <max.howell@apple.com> wrote:

On Mar 19, 2016, at 10:55 AM, Honza Dvorsky via swift-build-dev < > swift-build-dev@swift.org> wrote:

Hi All,

today I was trying to investigate how to build a proper cross-platform
server-side Swift project and only use SwiftPM to do it. In particular, I
was interested in getting OpenSSL/libcurl working as a dependency (built
from source). The main reason is that currently the big Swift server
frameworks all require manual steps during deployment (running

apt-get/brew

to install libcurl/openssl/others) and I am trying to get rid of these
manual steps, eventually only requiring a `swift build` and run.

With the great initial work
<https://github.com/apple/swift-package-manager/pull/183> to support
building C-family packages in SwiftPM done by Ankit, I was able to have a
simple C package as a dependency, as advertised. However, the reality of
big cross-platform open source projects like OpenSSL and libcurl is that

in

order to actually build it from source, a configure (or similar) script

has

to be run to get the source code ready for compilation. And this is where

I

got stuck.

Thus I wanted to kick off a discussion of what approach of solving this
problem with SwiftPM should be. The simple solution, which I'm

tentatively

proposing, is to have an optional "post-clone" script in the package's
repository. Then, the Package.swift would optionally contain a field for
the path to this script - and if present, it'd get run after SwiftPM

clones

this package. Note that this would be a "post-clone" script, not a
"prebuild" script - I imagine it'd only run once when cloning and then

only

after each clean.

In order to get users to stop having to run manual script to install all
dependencies, I believe that we need to allow packages to declare what

work

needs to be done on its source before compilation can begin.

I have a proposal I’d like to push today that adds knowledge to SwiftPM
about how to install system dependencies for System Module Packages.

We are not keen to add arbitrary script execution to SwiftPM, because: 1)
Arbitrary scripts cannot be controlled and this leads to dependency hell
and 2) arbitrary scripts mean your package graph may do anything, which
nobody wants.

Now I’m fine with the “root package” ie. the package the user has control
over doing more, but this would be a different discussion.

So the question becomes, is this sufficient? To have `brew install
openssl` run, or do you really need to install from source?

Max

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/5717a2ac/attachment-0001.html

------------------------------

Message: 4
Date: Mon, 21 Mar 2016 21:12:47 +0100
From: Kostiantyn Koval <konstantin.koval1@gmail.com>
To: Max Howell <max.howell@apple.com>
Cc: "swift-evolution@swift.org" <swift-evolution@swift.org>,
     "swift-build-dev@swift.org" <swift-build-dev@swift.org>
Subject: Re: [swift-build-dev] [swift-evolution] Proposal Discussion
     Thread: SwiftPM: Locking and Overriding Dependencies
Message-ID: <EF0A84B5-9C45-4979-A59F-94E8F52D533A@gmail.com>
Content-Type: text/plain; charset="utf-8"

I like the proposal.

I have 1 concern.
As a package author, like PromiseKit <https://github.com/mxcl/PromiseKit>
I often have a need to fix some of my dependencies and publish it to my
package users.

With the current proposal I can do it:
  - Advise it in README, which is not really a solution done by swift
package manager.
  - update Manifest.swift file. There is no convent way to do it now.

I would love to have some functionality to make it simpler for me to
specify (modify Manifest.swift or smt else) that Dependency X should:
  - use specific tag X
  - use commit X

But maybe that should be part of another proposal. The lock file would
perfectly solve the problems for developing projects that uses packages.

- Kostiantyn

On 20 Mar 2016, at 06:07, Daniel Dunbar via swift-build-dev <swift-build-dev@swift.org> wrote:

My thoughts on this proposal:

1. I agree with some of the other comments that I would prefer the

version file be adjacent to "Package.swift". When the Packages directory
isn't being checked in, I really would like to think of it as an
"implementation detail" and not embed functionality inside it that would
make it hard to remove or change in the future.

2. I like VersionLocks.json well enough, but would like to see a

discussion about possible alternatives. My personal proposal (in line with
#1) is to use "PackageVersions.json" which has a nice agreement with
Package.swift and would mean two common metadata files show up adjacent. I
don't really want to bike shed on the name, but I suspect whatever we pick
first will last for a while so I would at least like to review the various
alternatives. I also will throw out that my personal opinion is we don't
need to pick a name that bears much resemblance with existing terminology,
whatever we pick will eventually become "the standard" for the SwiftPM
ecosystem so I would prefer to pick the most-descriptive-possible name up
front, not one that alludes to the same concept in other systems.

3. I like the terminology section here, I almost feel like we should

adopt that as official terminology in our documentation (which I don't
think we have yet, correct me if I am wrong).

4. I would like it if the lock file recorded the exact SHA it received,

and validate that when retrieving. This helps protect users against MITM
attacks or unexpected changes if an upstream modifies a tag. It also can be
used as part of safety checks when migrating to an alternate repository
host which is expected to have the same content.

5. The "workflow - build" sections #2,3,4 are rather complicated. Is this

because the proposal is trying to work with existing Packages layouts, or
because the proposal is trying to handle the various variations of what the
user may have checked in inside the Packages subdirectory?

6. I wonder if we should be defining, as Eloy alludes to, two different

things:

- The version lock file, which defines the expected versions for the

package manager to use when it is doing package resolution.

- The package state file (in Packages.swift), which is used by the

package manager to track information on the Packages/ subdir state in order
to provide useful features primarily focused at the scenarios when the user
is modifying those files.

Currently it seems like a lot of the behaviors in the proposal are

focused at the latter case, but they feel like they should be decoupled
problems to me.

- Daniel

On Mar 17, 2016, at 11:23 AM, Max Howell via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

The following is a draft proposal, feedback welcome.

____________
SwiftPM Dependency Version Locking
Proposal: SE-NNNN <

https://github.com/apple/swift-evolution/blob/master/proposals/NNNN-swiftpm-dependency-lockfiles.md

Author(s): Ankit Agarwal <https://github.com/aciidb0mb3r>, Max Howell <

https://github.com/mxcl>

Status: Discussion
Review manager: Rick Ballard
Introduction
This proposal seeks to declare a new, generated file

Packages/VersionLocks.json that describes the exact state of a package’s
dependency graph and then by default will be respected when executing most
package manager commands. Thus it is considered a “version lock” for a
package’s dependency sources.

Swift-evolution thread <

https://lists.swift.org/pipermail/swift-build-dev/Week-of-Mon-20151214/000067.html

Terminology
A package refers to a published, versioned git repository designed to be

consumed as a dependency by SwiftPM.

A project refers to an end-user workspace that uses SwiftPM (via a

Package.swift and swift build) fetching and building packages as part of
its build

Describing this distinction is required because both the above have the

same form, but are used differently by an end-user. An end-user may publish
packages, but will eventually consume those packages in a project.

As justification for this confusion, it is considered a feature that

projects can easily and trivially become packages when using SwiftPM.
Encouraging a vibrant packaging ecosystem is one of our goals.

Motivation
In a vibrant packaging ecosystem, dependencies update continuously with

bug-fixes and new features. A development team needs:

To ensure they are all using the same versions of their dependencies for

any given version-control commit.

Ensure they are all using the same versions of the underlying Swift

toolchain

Be able to override or modify dependency specifications for the whole

team for specific commits.

Currently with SwiftPM it is possible to fulfill 1. by committing the

sources of a package’s dependencies with the package itself, but this is
not always desirable. There is no way to achieve 2. and 3. with SwiftPM
alone.

Additionally, there is not currently a way to know which version of

Swift a package requires to build. At this time this situation is
particularly precarious because Swift itself is not backwards compatible.
As a Swift developer at the very least recording which Swift version a
package was built with by the package developer is essential information in
order to assess a package's suitability. Practically the package manager
could in the future use this information to aid an end-user or even fix the
problem when packages fail to compile.

Proposed Solution
A file: Packages/VersionLocks.json will be created alongside the

Package.swift file. Its contents will describe:

The URL and versions of cloned dependencies
An inline diff of any local modifications made to those packages

relative to their pristine cloned states

The exact version of the Swift toolchain used as part of the last

successful build of the package

This file is generated by SwiftPM.

This file should be checked-in with projects.

This file is generated and should not be edited by users. If the file is

edited by users the behavior is undefined.

This file should be checked-in with packages designed for consumption in

projects, however SwiftPM will not use the checkout files of dependencies
when determining a project’s dependency graph (this would make dependency
graphs much less likely to resolve due to overly strict versioning
requirements). In the future we may choose to make it possible for
end-users to attempt to build a package using all checkout files since in
certain deployment scenarios where an exact graph has already been tested,
this is a solid reliabiity feature.

Any local, modifications made to the clones in Packages are recorded in

Packages/VersionLocks.json as part of the flow described in the next
section. Modifications here means: changes to git remotes and the git-ref
of the checked-out HEAD.

Detailed Design
In a fresh clone that does not contain a Packages directory swift build

will determine the dependency graph, clone the packages into Packages and
generate a Packages/VersionLocks.json file.

The user can now step into the Packages directory and modify package

sources. If the user then runs swift build again the package manager will
error out:

error: dependency sources have been modified
execute `swift build --lock` or `swift build --ignore-lock`
It is an error to build against an unlocked dependency graph, but to

facilitate fixing bugs etc. an ignore flag can be specified.

When swift build --lock is specified the package manager regenerates the

lockfile detailing the active git remote and the SHA that is checked-out.

Every time swift build completes a build the lockfile is updated (if

necessary) recording the current version of the Swift toolchain that
achieved the build.

Packages/VersionLocks.json

The exact design of the contents of this file will be explored during

iterative development, but here is a possible example:

json { "packages": [ { "clone": "Packages/PromiseKit-3.0.3", "origin": "

https://github.com/mxcl/PromiseKit"
"ref": "3.0.3" }, { "clone": "Packages/Alamofire-1.2.3", "origin": "
https://github.com/a-fork-somewhere/Alamofire <
https://github.com/a-fork-somewhere/Alamofire>" "ref": "crucial-fix" },
{ "clone": "Packages/Quick-1.2.3", "origin": "
https://github.com/Quick/Quick" "ref":
"1.2.3" } ] }

Workflow — Regular Build

User runs swift build
If Packages/ contains clones and a VersionLocks.jsonSwiftPM skips to 7.
If Packages/ contains clones and no VersionLocks.json the lockfile is

generated from the clones

If Packages/ contains checked out sources without git information and no

VersionLocks.json SwiftPM fetches the git information and provided there is
no diff, generates the Lockfile, if there is variation it is an error *

If Packages/VersionLocks.json is present its dependency graph is used
If Packages doesn't exist or is empty the dependency graph is resolved,

packages are cloned and the Lockfile is generated

Build, if Packages are missing because we skipped from 2. the build will

error, it is the user's responsibility to instruct SwiftPM to --update or
to fix their dependency graph some other way.

This scenario is so users can check in their complete dependency sources

to their tree instead of / as well as the VersionLocks.json file: a
situation which sometimes is necessary if your dependencies are removed
from their third party online location, etc.

Workflow — Making Modifications

User makes local modification to a dependency’s sources
User runs swift build
swift build errors out.
User must either lock the graph or run with --ignore-lock
The error-out is likely to be considered tedious by users, however we

consider it important that users are made aware and forced to act when they
modify their dependencies and thus are exposing their team/users to
so-called “dependency hell”.

Runing swift build --lock regenerates the lockfile, but does not build.

Modifications must be committed. This means that if the modifications

are not uploaded to a location accessible to the rest of the team they will
fail to build when they update their checkouts.

The package manager could check for this by asking git if the specified

origin has the current locked ref and error out as appropriate.

Workflow — Overriding Packages

User steps into a Package directory eg. Packages/Foo-1.2.3
User changes the origin of Foo to their own fork
User alters HEAD to point to a fix in their own fork
swift build errors out.
User must either lock the graph or run with --ignore-lock
Running swift build --lock regenerates the lockfile, the new origin and

tag is stored. Thus a fresh clone of this project would use these
overrides.

It is important to note that this workflow will not be respected for

dependencies, only for projects.

If a package author requires an override they have a few options:

Change the Package.swift dependency specification. This should only be

done as a last resort, for example, a critical bug must be fixed in a
dependency and that dependency author is not being responsive. It is up to
the Package author to ensure this scenario goes well. SwiftPM itself wants
to guard against these conditions with our proposed “publish & lint” step
that validates such decisions before signing a published package tag. But
we are not there yet and thus package authors should be responsible.

Advise end-users in a package README that they should override the

dependency themselves.

2 is preferred, but 1 will happen. We consider it our responsibility to

develop tooling that makes 1. safe or unnecessary, but we are not there
yet.

Workflow — Updating Packages

SwiftPM has no update mechanism yet, but once it does running swift

build --update will fetch the latest versions of all dependencies and
update the lockfile.

Impact on existing code
This proposal will have no impact on existing code.

Alternatives Considered
One alternative is to allow mentioning refs in manifest file while

declaring a dependency but as discussed in this <
http://markdownlivepreview.com/"https://lists.swift.org/pipermail/swift-build-dev/Week-of-Mon-20151214/

thread it might not be the best idea.

Using Git submodules for this feature was considered. However something

additionally would be required to specify swift version and record local
diffs. Also this would lock us into git, and despite the fact that
currently we only use git, we have not yet ruled out supporting other
version control systems.

_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution

_______________________________________________
swift-build-dev mailing list
swift-build-dev@swift.org
https://lists.swift.org/mailman/listinfo/swift-build-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.swift.org/pipermail/swift-build-dev/attachments/20160321/3f3452fe/attachment-0001.html

------------------------------

Message: 5
Date: Mon, 21 Mar 2016 15:57:49 -0700
From: Max Howell <max.howell@apple.com>
To: Kostiantyn Koval <konstantin.koval1@gmail.com>
Cc: "swift-evolution@swift.org" <swift-evolution@swift.org>,
     "swift-build-dev@swift.org" <swift-build-dev@swift.org>
Subject: Re: [swift-build-dev] [swift-evolution] Proposal Discussion
     Thread: SwiftPM: Locking and Overriding Dependencies
Message-ID: <28D54CDA-9388-4938-B0AF-C895B54D9134@apple.com>
Content-Type: text/plain; charset=us-ascii

  - update Manifest.swift file. There is no convent way to do it now.

It is not convenient enough to edit it with a text editor and commit? Seems
pretty convenient to me.

------------------------------

Message: 6
Date: Mon, 21 Mar 2016 16:05:46 -0700
From: Max Howell <max.howell@apple.com>
To: Daniel Dunbar <daniel_dunbar@apple.com>
Cc: "swift-evolution@swift.org" <swift-evolution@swift.org>,
     "swift-build-dev@swift.org" <swift-build-dev@swift.org>
Subject: Re: [swift-build-dev] [swift-evolution] Proposal Discussion
     Thread: SwiftPM: Locking and Overriding Dependencies
Message-ID: <D2A832AB-4B07-418E-9D6F-32A76EF1EB58@apple.com>
Content-Type: text/plain; charset="utf-8"

2. I like VersionLocks.json well enough, but would like to see a

discussion about possible alternatives. My personal proposal (in line with
#1) is to use "PackageVersions.json" which has a nice agreement with
Package.swift and would mean two common metadata files show up adjacent. I
don't really want to bike shed on the name, but I suspect whatever we pick
first will last for a while so I would at least like to review the various
alternatives. I also will throw out that my personal opinion is we don't
need to pick a name that bears much resemblance with existing terminology,
whatever we pick will eventually become "the standard" for the SwiftPM
ecosystem so I would prefer to pick the most-descriptive-possible name up
front, not one that alludes to the same concept in other systems.

I like PackageVersions.json

3. I like the terminology section here, I almost feel like we should

adopt that as official terminology in our documentation (which I don't
think we have yet, correct me if I am wrong).

We don’t, but I agree, we should aim to pick some names and use them
consistently.

4. I would like it if the lock file recorded the exact SHA it received,

and validate that when retrieving. This helps protect users against MITM
attacks or unexpected changes if an upstream modifies a tag. It also can be
used as part of safety checks when migrating to an alternate repository
host which is expected to have the same content.

Good point, this should be there.