-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Give examples for documenting package dependencies #6
Comments
So this is a very timely question of yours! Instead I think things should be much simpler: a list of deps where each dep has just a name and version. The version can be either a resolved version or a version constraint depending on the context. Using a yaml representation this would then looks like this: dependencies:
- group: test
name: junit
version: '>=3'
- group: test
name: dbunit
version: '2.53' The only other thing that may be needed is a flag that would indicate in a more explicit way whether a dependency is required or not... this would end up looking like this: dependencies:
- group: test
name: junit
required: yes
version: '<3.8'
- group: test
name: dbunit
required: no
version: '2.53'
- group: runtime
name: apache-commons
required: yes
version: 1.0.2 Some noteworthy things:
|
/cc @mnonnenmacher who's working on our trial-adoption of ABCD as an output format of what you would call dependentcode ;-) |
@mnonnenmacher any feedback on your side? |
Hi @pombredanne, let me show you how we have interpreted the ABCD format. Our dependency analyzer creates two object types: project and package. Project represents a software package including its resolved dependencies, while package contains only information about the software package itself, but not about its dependencies. The reason we excluded dependencies from package is that we are currently only interested in resolved dependencies, not declared dependencies, and most package managers automatically change versions of transitive dependencies, or allow the users to manipulate transitive dependencies. For example Maven/Gradle allow to exclude transitive dependencies, and try to resolve version conflicts. I'll use YAML for the examples below, because it is easier to read. Package An example for a random NPM project:
namespace is what you call group above, we decided for the more generic namespace because group is only used in the Maven/Gradle world. This is used for all package managers that have this concept, currently for the group id of Maven and Gradle and for the scope (like "@types") of NPM. As a unique identifier to reference a package we use the quadruple of package_manager, namespace, name, and version. We have added package_manager to make it more unique, because in theory there could be e.g. NPM and Maven artifacts that share the same namespace, name, and version. vcs_path is used to specify a subdirectory in the repository where the package is located, as sometimes repositories contain multiple independent projects. The other properties should be self explanatory. Also we plan to add: Project
Mostly the same as package, the main difference is the scopes property. This contains a tree of resolved dependencies for each scope, e.g. for NPM scopes are "dependencies", "devDependencies", "peerDependencies", and so on. For Maven/Gradle this would be "compile", "test", and so on. The scopes for JQuery look like this:
The delivered property is a draft, it defines if dependencies from this scope are included in the product, usually test dependencies are not. All elements in dependencies are package references including the resolved transitive dependencies. Note that we don't need the package_manager for the reference here, as it is already defined by the project. In the beginning we used package_hash for the reference, but then decided for the triple of namespace, name, and version instead because of human readability, so this property will likely be removed. I have put a full example for JQuery on a Gist: It would be great to get some feedback from you about our usage of ABCD, and how close it is to what you have envisioned for the format. |
@mnonnenmacher this is very well done! This matches very well the vision. I may come with a few comments on the details for certain names that we could possibly refine together. |
Advantages of my Approach Consistent Representation: Treating resolved and unresolved dependencies the same way, with the only difference being in the context (e.g., version constraints vs. resolved versions), ensures that your data structure is consistent and easier to work with. Clear Indication of Requirement: Adding a required flag makes it explicit whether a dependency is essential or optional. This can help with prioritizing dependencies and managing their installation or resolution. Simplified Schema: Your schema’s simplicity ensures that it’s easy to generate, read, and maintain. It avoids unnecessary complexity and keeps the focus on the core attributes: name, version, group, and requirement status. Example YAML Structure yaml Dependency Groups: The group attribute is useful for categorizing dependencies. Make sure that the groups are well-defined and that your system correctly handles dependencies across different groups. Flag Handling: The required flag should be consistently interpreted in your system. Decide whether yes and no are the best values, or if a boolean (true/false) might be simpler. Extensibility: Think about whether you might need additional attributes in the future. If you do, ensure your schema can be extended without disrupting existing data. Implementation Considerations Integration with Tools: Ensure that this schema integrates well with existing tools like ScanCode. If you’re moving away from an existing schema, consider how you’ll transition or map the old schema to the new one. Documentation: Provide clear documentation for how to use this schema, including examples and explanations of each attribute. This will help users understand and implement it correctly. Your proposed schema is a solid step towards a more manageable and understandable representation of dependencies. It should facilitate easier manipulation and integration of dependency data in various contexts. |
When describing software packages, like Java libraries, it's quite essential to also capture any dependencies / relationships between packages. The current ABCD spec seems to be quite loosely defined in this regard. A bit too loose for my taste probably. Could you give a concrete example how e.g. the dependency of
mockito-core
onjunit
would be represented in ABCD in YAML format?The text was updated successfully, but these errors were encountered: