[erlang-questions] rebar3 dependencies

Roberto Ostinelli <>
Sat Mar 19 08:30:44 CET 2016

Tristan, Fred, Eric
First of all, let me very clear on this: I want to thank you for the work
you're all doing. It is a tremendous amount of work, and I can only be
grateful that you are willing to share it with me and the rest of the
community. I know how hard it can be working in open source and receiving a
variety of random requests, sometimes coming from people that "expect"
things to get done by you. So: thank you.

Now, to get back to my original question: Tristan, you say that releases
"bundle all dependencies at a certain point in time", and that wanting to
vendor dependencies is "unnecessary and poor form". I would like for you to
consider that there are real cases for which vendoring is necessary, and
not poor form. Let me give you some examples.

1. Even in the Ruby community, gems disappear - whatever the reason. It has
happened before, it will happen again. Hex.pm, being smaller and way more
recent, is also probably (at least now) less reliable than rubygems, and in
general relying on github repositories for those libraries not yet packaged
is even worse. It is therefore understandable that some may feel better
knowing that they just have to rely on their own repository, where all
dependencies have been vendored.

2. Releases "bundle" all dependencies at a certain point in time, as you
say, but only with whatever exists at that time. I'd like to be able to
release the same code on newer Erlang releases, sometimes years after my
first release. Or with different operating systems. See point 1: I need to
ensure to have all the dependencies in my code, whatever happens to the
rest of the world.

3. I often compile releases on private clouds, which do not have access to
internet. Yes, there are workarounds, but the point her is that it makes my
life easier not to have to find one.

Rebase 2 currently satisfies these requirements, and since I'd like to move
to Rebase3 I'd like to find working alternatives.

Eric, sure, I can host Hex privately. Though, you'll probably agree that it
is way more easier to just go with the vendoring thing. :)

That being said, I'd like for you, Tristan, Fred, Eric, to try and welcome
my little feedback here, and take it for what it is. I'd like it to be easy
and possible to discuss these ideas serenely, because relying on a system
that considers (or better yet, values) the community input such as mine
would make me sleep better at night :)

All the best,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160319/8631f11d/attachment.html>

More information about the erlang-questions mailing list