Open damon-kwok opened 4 years ago
SeanTAllen
commented
4 years ago This issue isn't very helpful. It assumes that someone knows what cargo's search command does (also you seem to have copy and pasted this from another as it says similar to cargo's install command).
What does cargo's search do? How does it work? How would that translate to the pony ecosystem? Why is this needed?
rhagenson
commented
4 years ago I first searched through Carl's design, QA, and dep management docs here however I was unable to relocate the old issue thread that was started well before corral came to be so I do not know if some wisdom was in there.
Corral having a searching is potentially a much larger discussion than cargo having similar functionality. Cargo has the benefit of https://crates.io/ -- a central repository of Rust packages -- meanwhile Corral has no such repository to query. As such, I propose there are two "good" options for seeing this through:
Create a https://crates.io/ Pony equivalent.
Central package distribution has its benefits and Crates is certainly a strong example on how to do it well.
Create a https://conda.io/ Pony equivalent.
Distributed package distribution has its benefits and Conda is certainly a strong example on how to do it well.
I think a corral search is best done in a distributed setting. I imagine Pony packages being shared in "channels" rather than a central repository.
First we need to have a discussion about how deep this would need to run for all the edges to line up without creating a mess. No matter how packages are distributed, eventually they need to be pulled down to a single location for ponyc to make sense of them.
I would love to see a distributed, multi-master ecosystem of Pony packages but this would take some rather serious conversation on how this is done. I have dreams of an almost CouchDB-style synchronization where as long as a server "speaks" the API it can be added to a network of potential package distributors to synchronize where a package is available from. This would be unlike Conda where if a package is not in any of the channels a user has set the pacakge is not found -- rather servers would forward requests in a decaying pattern so that, by only "searching" the central proxy, a user can perform a deep search of the Pony ecosystem. (Important to note that this has a huge potential for busy communication, cache invalidation, and many more problems with even one user who attempts the semantic equivalent of corral search --depth=Inf package-that-does-not-exist while the query bounces around the ecosystem.)
Package naming clashes would best be solved by the user where if the name is not unique in the network the user get a table of what is available and from what sources along with a short description of the package so a user can choose.
Last point I want to make, search is a potentially huge security hole. With a central server, if that server is compromised then security is breached. With decentralization, if there is a rouge server compromised in the network then security is breached. As well there are all the problems of phishing not matter what if a user is able to search, fetch, and install/compile a package with a similar name, but malicious source.
SeanTAllen
commented
4 years ago re: crates.io. see https://www.main.actor/
niclash
commented
4 years ago https://ponyhub.bali.io is a proof-of-concept of crawling and indexing Pony projects.
SeanTAllen
commented
4 years ago The Pony committers agree that search would be a great feature to add to corral, however, the hard part of this is the service that provides the search index and ability to search it.
When someone in the Pony community provides a service to that which starts to get community traction (traction as well as existence is important), then we would look to move forward with this issue.
damon-kwok
commented
4 years ago Awesome
It is similar to cargo's install command