Proposal mix api to interact with mix.lock
67 views
Skip to first unread message
Megzari Raphael
Apr 21, 2021, 3:48:45 AM4/21/21
to elixir-lang-core
The larger question I want to ask is
What is the way to get dependency information from outside elixir.
Use case
for build tools wanting to limit network access and encourage reproducibiliy. For example if there was a way to find out what the dependencies are and how to fetch them, this job could be done outside of mix. A tool with a global store could keep deduplicated version of the dependencies and only fetched the ones that changed. Mix does that already of course, but it's based on an using it's own way to store dependencies.
Current barriers.
The mix.lock file format is undocumented and subject to change at any time.
Smaller question: are there plans regarding the format? Changes? How stable is the current format?
Potential solution
Would an api from the cli make sense?
Something like mix deps.list outputting some json format maybe?
(note this idea is not mine and i'm not sure the person having it wants to be cited)
depierr...@gmail.com
Apr 21, 2021, 12:20:21 PM4/21/21
to elixir-lang-core
If this is me, you can cite me with no problem. I do not think json has to be the easiest format, but it could work.
I think there is a lot of question that would need to be answered about what is needed from the outside build system before we get to defining an API here though. I am open to being told i am wrong of that :D
Austin Ziegler
Apr 21, 2021, 12:24:08 PM4/21/21
to elixir-l...@googlegroups.com
The mix.lock file can be interpreted as an exs file that produces a
map with tuples in the values. There have been migrations in the tuple
contents before, but it’s fairly stable and includes transitive
dependency information.
As I understand it, there have been developments recently that would
allow you to run your own Hex server in a mirror-caching mode, which
should assist with the deduplicated global store limiting network
access.
-a
> --
> You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-co...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/a70d41f4-db7c-4958-829b-2d0810266e72n%40googlegroups.com.
--
Austin Ziegler • halos...@gmail.com • aus...@halostatue.ca
http://www.halostatue.ca/ • http://twitter.com/halostatue
map with tuples in the values. There have been migrations in the tuple
contents before, but it’s fairly stable and includes transitive
dependency information.
As I understand it, there have been developments recently that would
allow you to run your own Hex server in a mirror-caching mode, which
should assist with the deduplicated global store limiting network
access.
-a
> You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-co...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/a70d41f4-db7c-4958-829b-2d0810266e72n%40googlegroups.com.
--
Austin Ziegler • halos...@gmail.com • aus...@halostatue.ca
http://www.halostatue.ca/ • http://twitter.com/halostatue
Raphael Megzari
Apr 21, 2021, 9:31:25 PM4/21/21
to elixir-l...@googlegroups.com
Thanks for the answer!
As I understand it, for each dependency the content of the tuple is
- :hex | :git ?
When it is hex, it uses the following hex endpoint?
/tarballs/PACKAGE-VERSION.tar
the last part of that tuple, is it the
sha256 or some kind of validation check?
If there are more formal
specifications, I would be interested in having a look.
Thoma depierre, that was indeed you who
suggested the idea, thank you!
Reply all
Reply to author
Forward
0 new messages