There’s few things that drive me up a wall more than having to use a programming languages package manager to install and use a utility I want to use or have to get working at my day job. Nine times out of ten, it usually goes something like this:
- Read the vendor’s poorly documented Git{Hub,Lab,ia} README.md where the instructions either don’t mention what dependencies are needed, or mention they’re “all covered in the {
Gemfile,requirements.txt,curl $url/script.sh | bash} - Try running the program, see the vendor documentation’s wrong, and have to work progressively through a traceback to figure out what hard-coded version of whatever python library that just does web requests but better that the vendor insisted on using.
- Finally get the damn thing working after 20-60 minutes.
This above workflow is better than “the old days” where you’re lucky if a vendor provided you a tarball or binary to install whatever widget you needed, and it at least gives an option of better updates for various dependencies needed by these programs, moreso than the Windows/macOS per-application update mechanism most people deal with on their desktop OS. But it’s still a far cry from providing something reliable with good version controll and dependency management.
So, I’m a busy guy. I got several people telling me I need to get something deployed yesterday — why not look at AWS or DigitalOcean and use a community image for an app? Well, because that’s still not fixing the above issue.
Let’s pick on Mastodon. Mastodon’s a ruby app, and provides one-click deploy options in a number of cloud providers. So, it should be easy to update with gem and git along with maybe just updating the host OS packages right? Well, let’s look at the upgrade to 4.0.0 per their release notes:
Non-Docker only: * The recommended Ruby version has been bumped to 3.0.4. You can upgrade, or you can continue using the old version by overwriting the
.ruby-versionfile with e.g.3.0.3which was recommended previously. The minimum version you can use is 2.7. * The minimum Node.js version has been bumped to 14. * Install dependencies:bundle installandyarn install
As far as bad installations and crap I’ve had to deal with recently, this is actually great all things considered! Clear deviations, expectations, and guidance. And I don’t mean this as an insult to Mastodon developers, because it’s not their fault and they’re a victim of larger issues at play here. Regardless of this, it still sucks ass
So, you might want to recommend using Docker to get around the above issues. Rather than rely on a number of these dependency issues installed on bare metal — why not move it to a container! It doesn’t matter if you’re running a newer version of curl but an old version of grep alongside each other in a container right?
Well, you still need the third party package managers in these containers. Things still break easy and they are still using what I feel is a bad and messy practice in the first place, not even getting in to the clear security issues of running some of this code. But hey what are ya gonna do.
Well, you can start by using and demanding your vendors actually just use your distro’s damn package manager the way it was intended to be used.
Distros like Debian have gone out of their way to provide a number of packages including dependencies to keep things as sane as possible for admins. Arch has the AUR which, while not as trusted as a package manager, is a great intermediate. Other distros like RHEL/CentOS/Rocky/Alma/Fedora/Whatever have bare and sparse default repos but larger extended repos that can be added. And I trust my distro’s package manager team far more than whatever the hell is going on over at npm anyway
I can today run apt-get install python3-pandas and now be able to have any security updates grabbed just when I update my desktop. Hell, if I want to get risky, I can run Debian sid or install the backports to get the more recent version of python3-pandas when they finally added the pancake maker feature! No need for me to touch apt-get install python3-pip; pip3 install pandas or some other unholy combination that’s going to have nine different versions of the same library in my $PATH.
Please, developers, vendors, and even fellow engineers: please just use your distro’s package manager. For the love of god.
Leave a Reply