[erlang-questions] relx extended deps

Loïc Hoguin essen@REDACTED
Tue Jan 27 18:31:10 CET 2015 

On 01/27/2015 04:53 PM, Anthony Ramine wrote:
> Le 27 janv. 2015 à 16:49, e@REDACTED a écrit :
>
>> On 01/27/2015 04:47 PM, Anthony Ramine wrote:
>>> Le 27 janv. 2015 à 16:44, e@REDACTED a écrit :
>>>
>>>> how am i running ranch without ssl now?
>>>
>>> By complaining to Ranch's author that he should either remove the code depending on ssl and put it in another separate project, or properly make his project depend on ssl and thus just not let you use ranch without ssl.
>>
>> hold on, i am not into political question, i want to keep it technical.
>> i am running ranch without ssl.
>> doesn't it contradict the statement of dependency?
>
> And anyone actually using ranch with ssl now needs an additional non-standard 'sequence' key in their app file. See the problem? The proper solution is to remove ranch_ssl from ranch and let you use that slimmed down version of it, not to accommodate one developer's laziness in a general purpose release tool.

Slow down on the attacks there.

The issue stems initially from a misunderstanding of the applications 
key in the .app file, which unlike what I believed until fairly 
recently, is not an ordered list of applications, but an unordered one.

Despite this it worked without any issue until Erlang 17.3. I am 
guessing something changed in 17.3 that made it break, but it's fair 
game because it was properly documented as unordered.

Years ago I pseudo-validated that this method was OK because another 
application in OTP was doing it: observer. Observer only lists kernel 
and stdlib as dependencies; on the other hand the newly added key 
runtime_dependencies lists wx, runtime_tools, inets and et. These are 
optionally required if you want to run the GUI (at least wx is).

SSL is not listed in Ranch because some users do not use it and do not 
want 3 extra applications they do not use in their release. A number of 
solutions have been investigated to keep this feature for all current users.

One of the more interesting solutions that was discarded was to make 
ranch_ssl its own application. But this only fixes Ranch and moves the 
problem one level up to Cowboy, which requires SSL for SPDY and soon for 
HTTP/2. These are the future protocols of the Web and Cowboy is aiming 
to support them at an equal level to HTTP/1.1 and Websocket, so it makes 
little sense to split HTTP/2 out.

The solution retained is to fix the .app file, and document a way to 
remove SSL if you don't want it. For some people it will involve editing 
the .app file directly (possibly as part of the build process); for 
others it will involve telling reltool to exclude certain applications 
they don't need. Relx has currently no equivalent but it looks like it 
will be quickly addressed (thanks!).

Now the only thing I have to figure out is if this warrants a Ranch 2.0 
release or not. It's not obvious it needs one, since release tools will 
fetch SSL automatically just fine. Perhaps you can help answering that one?

-- 
Loïc Hoguin
http://ninenines.eu

More information about the erlang-questions mailing list