On Friday, June 19, 2020 at 3:36:55 PM UTC-4, Hendrik Boom wrote:
> On Fri, Jun 19, 2020 at 07:54:29AM -0700, Brian Adkins wrote: 
> > On Friday, June 19, 2020 at 8:09:04 AM UTC-4, Neil Van Dyke wrote: 
> > > 
> > > For an important production system, you probably want the source of 
> any 
> > > third-party packages on which you depend to be in Git (or another SCM 
> > > system) that you control. 
> > > 
> > > You might also want to audit those packages yourself, as well as audit 
> > > any new version changes to them, before you push to production. 
> > > 
> > > After you do those things in SCM, depending how you do it, you *might* 
> > > find it's more convenient to simply load the third-party code you need 
> > > using the module system `require` only, without an additional package 
> > > system. 
> > > 
> > 
> > While I see some benefits of this approach, I just looked at a typical 
> > Rails project of mine, and it has over 160 packages with some packages 
> > depending on different versions of other packages, etc., so I think 
> > managing all of this myself in git might be overly burdensome. Granted, 
> my 
> > current Racket apps have far fewer dependencies, but I expect that may 
> > increase over time. 
> If you want to avoid problems with software you use changing 
> unpredictably, you will have to have use your own copy that does not 
> change at all. 
> I don't see another alternative if your upstream source might change at 
> any time. 
> And you will likely have to vet any chaanges that appear upstream in 
> case they actually do fix security-related issues that might already 
> be affect you.  It will be up to you to determine the risks of leaving 
> your local copy unchanged. 

I'm hoping the main scenario I'm concerned about (a bug is introduced in an 
update of a package) is rare, although that's exactly what motivated Alex 
to create his system. If it is a rare scenario for me, then I'd like to do 
the following:

1) Develop & test locally while updating packages as needed
2) Prior to releasing to production, so *something* that effectively 
snapshots my environment
3) Use the snapshot to deploy to production

Although I have some ideas about the "something" task, I still have to 
finalize the procedure and try it out. One option is to simply use a 
racksnap snapshot. What I'd like to do is to create a personal catalog that 
represents the packages I currently have installed, but it doesn't appear 
there's a super easy `raco pkg` command to do that - I still need to 
research a bit. Either there is a command, or it seems like a relatively 
straightforward thing to add.

You received this message because you are subscribed to the Google Groups 
"Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to racket-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to