[erlang-questions] Coon - new tool for building Erlang packages, dependency management and deploying Erlang services

Joe Armstrong erlang@REDACTED
Mon Feb 12 22:58:01 CET 2018


On Mon, Feb 12, 2018 at 10:06 PM, Vlad Dumitrescu <vladdu55@REDACTED> wrote:
>
> On Mon, Feb 12, 2018 at 9:06 PM, Jesper Louis Andersen
> <jesper.louis.andersen@REDACTED> wrote:
>>
>> On Mon, Feb 12, 2018 at 6:58 PM Joe Armstrong <erlang@REDACTED> wrote:
>>>
>>>
>>> I have said on many occasions that code should be named by the SHA1
>>> checksum of
>>> the content - as far as I know this would not offend people - apart
>>> from those who thought the name could be a tad simpler.
>>>
>>
>> I might have said this before, but here goes:
>> Using a cryptographic checksum for a package and then pointing the name to
>> the checksum would have saved Node.js npm package manager a lot of headaches
>> when people remove, rename or otherwise destroy packages.
>> It also allows you to comply with legal requests with a sunset period. As
>> in "I hear you, and the name will be given to you. But we give people 6
>> months time to upgrade before we remove the old checksummed packages".
>> I'm interested in why someone did not try this yet. Or if one tried, why
>> it didn't work out. It seems very obvious to build a
>> content-addressable-store for your packages.
>
>
> I'm not sure I understand this completely. Using the checksum of a package
> as identifier is IMHO only useful if it is used in the dependencies list of
> other packages. If the deps list uses names (and people will use names
> anyway, not checksums), then the problem remains that in case a package is
> renamed and another one reuses the name, we don't know to which one a
> reference points.

The dependency list should be a list of checksums and NOT a list of
names - this list of
checksums has itself a checksum (the "true" name of the package).

A human readable name is just an alias to a checksum - two different
human readable names
are the "same" if they are aliases to the same checksum.

Basically files should be named by their checksums - for fairly
obvious reasons of
convenience tools should hide or reveal these names when necessary or
appropriate.

For a given content the checksum is unique.

To handle renamings you just need a lookup table of

      {Name, Time, Checksum} tuples that tracks changes to the name of
the checksum over time

Should be easy (Famous last words rule applies here)

Cheers

/Joe




>
> Anyway, hex.pm has a field named "checksum" and it is that value that is
> stored in rebar.lock. So the hash key is there, but I don't see how it is
> useful except for tools.
>
> best regards,
> Vlad
>



More information about the erlang-questions mailing list