Is there a 'blessed' package manager for luvit?

[Karl Böhlmark]

Tim, I'm very grateful for your contributions to the node community and for creating a viable platform for writing high performance, light weight lua servers.

Personally I have been curious about the luvit platform from the beginning, but I haven't really dug into it because I've had little previous lua exposure and I haven't really had the need for something more lightweight than v8.

Now, with the advent of redis lua scripting, I've come to appreciate lua and at the same time I have had use cases for embedded servers that need to be light on memory. Consequently I find the luvit platform very attractive.

The only thing that holds me back slightly is the (at least for me) unclear package management situation. Having a background in .NET/python/node I agree that the node module system is agreeable, and it has been an unquestionable success. Thus, I'm glad that the module system is modeled after node. However, complementing the module system, node also has npm as the undisputed package manager and I have yet to understand what the equivalent is for luvit.

Yes, I have seen lum, but it looks pretty dead (10 months) and there isn't even a central searchable registry, right? Assuming I haven't overlooked anything obvious, what would your high level requirements be for a package manager? If you don't have time to implement it, maybe you can give input on the spec for the package.json equivalent.

I have seen the discussions about the module system on github, and I think it's almost inevitable that a lot of people in the existing lua community will be upset about their cheese being moved, especially in a way that is influenced by the node/javascript community, whom a few of them seems to hold in very low regard. I'm sure you remember how some commonjs people felt in the early days of node.

/Karl Böhlmark

[Tim Caswell]

There is no blessed package manager or anything that's even been worked on recently as far as I know.  What I'm doing for luvit.io is to use git submodules in the "modules" folder.  This works fairly well, except updating dependencies has to be done manually, since git remote hashes have no way to express semver ranges like npm can do.

If you really want semver ranges and/or a central repository, then we need a package manager.  I would like something with a subset of the npm feature set.  Keep it minimal at first.

Ideally it would be flexible with repo used, allow semver ranges, and make publishing easy.

We already have package.lua that luvit actually uses to look up main.  There really isn't any need for for json or some data format because lua is very easy to sand box from all attacks except maybe infinite loops.  But we're distributing code here, if a package author writes a dangerous (locking) package.lua, what's to stop them from writing a dangerous library?  You already trust the author to play nice. that's why you're using their code.

The nice thing about hosting on github is git already has SHA hashes of all tags and github itself is somewhat reliable and already running.

/Karl Böhlmark

--
You received this message because you are subscribed to the Google Groups "luvit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to luvit+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[pancake]

https://github.com/radare/lum feel free to continue my project

[Tim Caswell]

Indeed, pancake's project is the closest thing to a "blessed" package manager.  Feel free to contribute if that's what you want.

Pancake, are you still interested in maintaining this actively?