PSA: go.sum is not a lockfile.
Uncategorized
28
Posts
9
Posters
0
Views
-
-
@diazona what does “being done from a lockfile” mean in this context?
You are in xxx. You add foo. Which version of bar do you get? The latest or the one in foo’s lockfile?
In Go, you get the one in foo’s go.mod. Which is why I say go.mod applies to dependents like manifests and unlike lockfiles, despite having lockfile-like precision.
"what does 'being done from a lockfile' mean in this context?": You have a program which is capable of installing packages. How do you tell it which packages to install? When I say "being done from a lockfile", I mean that the way you tell the program which packages to install is by giving it a lockfile. (As opposed to, say, giving it the name of a package.)
"You are in xxx. You add foo. Which version of bar do you get? The latest or the one in foo’s lockfile?": What does it mean to be "in" xxx? Based on previous messages, I thought xxx was a package?
P.S. not trying to be difficult here, I'm just genuinely confused
-
"what does 'being done from a lockfile' mean in this context?": You have a program which is capable of installing packages. How do you tell it which packages to install? When I say "being done from a lockfile", I mean that the way you tell the program which packages to install is by giving it a lockfile. (As opposed to, say, giving it the name of a package.)
"You are in xxx. You add foo. Which version of bar do you get? The latest or the one in foo’s lockfile?": What does it mean to be "in" xxx? Based on previous messages, I thought xxx was a package?
P.S. not trying to be difficult here, I'm just genuinely confused
@diazona @filippo
I don't understand why such a thing would be called a lockfile. I've only ever heard "lockfile" used to mean a file that is temporarily created to indicate that some resource should be considered "locked", and unavailable for use by e.g. another process running the same or a related program. In other words, using the filesystem to implement a mutex. (This method only works for programs that agree to the usage convention; the OS kernel doesn't enforce anything.) -
@diazona @filippo
I don't understand why such a thing would be called a lockfile. I've only ever heard "lockfile" used to mean a file that is temporarily created to indicate that some resource should be considered "locked", and unavailable for use by e.g. another process running the same or a related program. In other words, using the filesystem to implement a mutex. (This method only works for programs that agree to the usage convention; the OS kernel doesn't enforce anything.) -
@diazona @filippo
I don't understand why such a thing would be called a lockfile. I've only ever heard "lockfile" used to mean a file that is temporarily created to indicate that some resource should be considered "locked", and unavailable for use by e.g. another process running the same or a related program. In other words, using the filesystem to implement a mutex. (This method only works for programs that agree to the usage convention; the OS kernel doesn't enforce anything.)@brouhaha @filippo That's a different meaning of lockfile (or lock file).
In software package management, when you tell an installer to install one or more packages by name (possibly with some version constraints), it will choose versions of the packages you named and all their (direct and indirect) dependencies and install those versions. But you don't know which versions it's going to choose. There are thousands/millions/billions/... of possible ways to choose the version of every package that needs to be installed, and typically that includes a lot of choices that wouldn't even work. So people have developed tools that take as input a set of package names and optionally version constraints and spit out a list of one *specific* version of every package in the dependency graph. This is called "locking dependencies", and if the versions are recorded in a file, that is a lockfile. Developers can then test that specific combination of dependency versions and confirm it works.
-
@brouhaha @filippo That's a different meaning of lockfile (or lock file).
In software package management, when you tell an installer to install one or more packages by name (possibly with some version constraints), it will choose versions of the packages you named and all their (direct and indirect) dependencies and install those versions. But you don't know which versions it's going to choose. There are thousands/millions/billions/... of possible ways to choose the version of every package that needs to be installed, and typically that includes a lot of choices that wouldn't even work. So people have developed tools that take as input a set of package names and optionally version constraints and spit out a list of one *specific* version of every package in the dependency graph. This is called "locking dependencies", and if the versions are recorded in a file, that is a lockfile. Developers can then test that specific combination of dependency versions and confirm it works.
@diazona @filippo
Thanks for the explanation! I'd heard of configuring a package manager to require a specific dependency package version, but I hadn't heard it called locking, or using a specific file to store exclusively that information. The only times I've used such functionality, the required versions were stored in a general configuration file with a lot of other configuration management settings. -
@diazona @filippo
Thanks for the explanation! I'd heard of configuring a package manager to require a specific dependency package version, but I hadn't heard it called locking, or using a specific file to store exclusively that information. The only times I've used such functionality, the required versions were stored in a general configuration file with a lot of other configuration management settings. -
@diazona what does “being done from a lockfile” mean in this context?
You are in xxx. You add foo. Which version of bar do you get? The latest or the one in foo’s lockfile?
In Go, you get the one in foo’s go.mod. Which is why I say go.mod applies to dependents like manifests and unlike lockfiles, despite having lockfile-like precision.
@filippo @diazona In the case of ruby gembundler, "being done from a lockfile" means deployment mode as docunented at https://bundler.io/man/bundle-install.1.html#DEPLOYMENT-MODE
-
undefined cybersecurity@poliverso.org shared this topic on
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@aeva proposal to rename them to Andy (C) and Brian (Eno), respectively
-
Wobedraggled (@wobedraggled.bsky.social)
https://bsky.app/profile/wobedraggled.bsky.social/post/3mc3qx5pxnc27
> What are we doing as a species?
-
@EveOfTheFuture correct
-
Arcas De Disco (@puckarks.bsky.social)
https://bsky.app/profile/puckarks.bsky.social/post/3mc3s2kw7ak2g
-
-
ChonginTommy (@chongintommy.bsky.social)
https://bsky.app/profile/chongintommy.bsky.social/post/3mc3qvea7ma2f
-
@arosano not yet 🙂
-
@youranoncentral.bsky.social uguale
