[erlang-questions] Coon - new tool for building Erlang packages, dependency management and deploying Erlang services

[Vlad Dumitrescu]

On Mon, Feb 12, 2018 at 9:06 PM, Jesper Louis Andersen <
jesper.louis.andersen@REDACTED> wrote:

> On Mon, Feb 12, 2018 at 6:58 PM Joe Armstrong <erlang@REDACTED> wrote:
>
>>
>> I have said on many occasions that code should be named by the SHA1
>> checksum of
>> the content - as far as I know this would not offend people - apart
>> from those who thought the name could be a tad simpler.
>>
>>
> I might have said this before, but here goes:
> Using a cryptographic checksum for a package and then pointing the name to
> the checksum would have saved Node.js npm package manager a lot of
> headaches when people remove, rename or otherwise destroy packages.
> It also allows you to comply with legal requests with a sunset period. As
> in "I hear you, and the name will be given to you. But we give people 6
> months time to upgrade before we remove the old checksummed packages".
> I'm interested in why someone did not try this yet. Or if one tried, why
> it didn't work out. It seems very obvious to build a
> content-addressable-store for your packages.
>

I'm not sure I understand this completely. Using the checksum of a package
as identifier is IMHO only useful if it is used in the dependencies list of
other packages. If the deps list uses names (and people will use names
anyway, not checksums), then the problem remains that in case a package is
renamed and another one reuses the name, we don't know to which one a
reference points.

Anyway, hex.pm has a field named "checksum" and it is that value that is
stored in rebar.lock. So the hash key is there, but I don't see how it is
useful except for tools.

best regards,
Vlad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180212/b54c1538/attachment.htm>