Packager Principles

[magnus-madsen]

• A package contains source code. (enables monomorphization, compiler optimizations).
• A package cannot execute any code upon installation.
• A package must use (restricted) semantic versioning.
• A package must contains a license.
• A package cannot contain any entry points.

[KengoTODA]

A package must contains a license.

Is it reasonable to contain NOTICE file too? For instance, works licensed under the Apache License 2 may have NOTICE text file that must be distributed together.

You may refer to the following patch to grab concrete changes to support:

https://github.com/KengoTODA/flix/compare/52986162e106b7ccb93f8d58884ac8573575afe9..957df3c386af7ddfae425730f8d5c2c31be28348

[KengoTODA]

One more interesting topic is dependency management. Is it in the target of packager? What I imagine is something like Maven and Gradle; users declare lists of dependencies (compile, runtime, test, etc.) then the packager will resolve all transitive dependencies, and download them to put into the CLASSPATH.

It is useful for development (no need to check in binary files to the SCM system), upgrading dependencies (good integration with dependabot-like solutions), and security (good integration with SAST solutions). But it will bring many complicated things such as dependency conflicts, dependency pinning, etc.

Currently, flix projects require the lib directory to put dependencies, so I guess that dependency management is not in the target. But I found no related issue so let me ask about the plan here :)

[magnus-madsen]

Sorry for the delayed response. Somehow I missed your comments.

For the NOTICE, I don't think -- in practice -- those files are too widely used. So I would avoid requiring them. (Of course a package can still ship with one-- even today).

For dependency management, the long-term goal is to have a source-based dependency manager like Cargo, NPM, etc. This will requires us to define manifest and lockfile formats, to implement a resolver, and to figure out how to deal with the diamond problem. Should be a fun, if tricky project :)

[KengoTODA]

Thanks for your reply, I understood the current policy and plan. :)

For the NOTICE, I don't think -- in practice -- those files are too widely used. So I would avoid requiring them. (Of course a package can still ship with one-- even today).

Yes, I also think the NOTICE file should be optional. If we support it, it should work only when NOTICE file exists in the project root dir.

Can I ask how we hand ship it in the current packager? I think the packaging process is not extensible, so users need to update the .fpkg file my their own?