On Tue, Jun 05, 2012 at 03:44:49PM +1000, Zack Corr wrote:
> O.K, so after a talk with Brian in #rust, I think we've found a good
> solution that keeps the reliability and simplicity of the current setup but
> can also automatically sync and update the local package list without
> downloading an (eventually) massive file.
>
> Every source has a packages.json file.
>
> There are 3 types of sources:
>
>
> - "git": a source hosted in a git repository - cargo handles incremental
> changes by simply `git pull`ing whenever the list, search or install
> command is called and then using the new package information for the
> command.
> - "http" | "ftp" | "curl": a source hosted via some curl supported
> transfer (e.g. http) - cargo handles incremental changes by appending
> `?from=<timestamp>` to the URL where `timestamp`is a generic unix timestamp
> for the last update it did. If the source supports the from command, it
> will only provide the packages that have been updated since `timestamp`,
> otherwise it provides the entire packages.json file. Whenever the list,
> search or install command is called it requests the packages.json file with
> the last timestamp it did and merges it's local package list with it, and
> then uses the information for the command.
> - "file" - a source hosted locally, self explanatory
>
> Then a source can optionally contain a source.json file which contains the
> same stuff as a single source in sources.json does now (minus name and url
> fields) and sources.json becomes:
>
> ```
> {
> "central": "git://github.com/mozilla/cargo-central"
> }
> ```
>
> I think this turns out better. Any thoughts?This seems legit, but I still don't understand what problem is being solved very well. Central (which is our biggest source right now) is 6130 bytes total, and gzipped it's 1632 bytes. Downloading it incrementally instead of in its entirety each time is not saving a whole lot. The incremental-fetch approach also worries me because, as it works now, source signing is based on a signature across the entire packages.json file. If we're fetching only part of that file (or just those packages new since time t), we won't be able to check the signature. I would not have the same objection to git for incremental fetches, from which we are guaranteed to get the same file the author uploaded. > _______________________________________________ > Rust-dev mailing list > [email protected] > https://mail.mozilla.org/listinfo/rust-dev -- elly
signature.asc
Description: Digital signature
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
