How does Paket stack up against NuGet 3's project.json? #1230
Comments
|
Since I'm still trying to understand the workflow in DNX and coreclr the following might not be correct. This the structure I think will be used in coreclr/DNX:
Every and the Now to your questions/observations:
My conclusion at this point is that the new NuGet model for coreclr and DNX still has most of the flaws that we have see in older NuGet versions. TBF there exists nice tooling around Regarding Paket: I think Paket's paket.dependency/paket.lock model is needed more than ever, but it's hard to make it work (see #736 and dotnet/fsharp#722). PS: I didn't even look into how F# script files can work in this model. |
dnu will die and be replaced by nuget, or even the new dotnet unified CLI experience at some point. This was just an interim utility because NuGet didn't understand project.json.
This is because the current content transform design was pretty bad. It only worked in C# project types and had no way to pivot on language. The latter applies to content files in general. There are plans on bringing this back, with a better way of controlling where the content files ends up in your project structure, preferably by not copying the files at all, but rather just "linking in" a read only version. It'll also let you pivot on language and target platform, so you can include different files for js/fs/cs/vb etc. and specify the content files' build action. Most of the goals for this is outlined at https://github.com/NuGet/Home/wiki/Bringing-back-content-support,-September-24th,-2015 |
|
@khellang thanks for this clarification. @khellang just showed me https://github.com/NuGet/Home/wiki/Lock-file-design-meeting-notes---August-18,-2015 The "snapshot file" would probably solve some of the issues. It would still allow you to accidently use different versions in different projects but it would at least allow you to pin versions and have reproducible builds. If the dependencies block in Paket could generate these snapshot files and paket users could gitignore the snapshot files and the resulting project.lock.json files. |
|
I think I saw somewhere that someone proposed a |
|
Yes that was in #736, but the suggestion was to create project.json.lock which seems like overkill. Creating the snapshot file would be much nicer. |
|
So after thinking about this a bit, you really don't need to do anything with |
|
The point is MS is pushing this new model and even projects like the F# compiler are changing (very slowly in that direction). We want to allow our users to benefit from all the shiny new things, but still allow them to do dependency management like they like it. With the "snapshot" files (which I believe are needed anyways - see above) and optional dependencies in project.json this could work beautifully. |
|
@davidfowl I'm confused. Doesn't @forki at the top of this issue show where the differences between nuget 3 / project.json and paket are? I'm sure that a lot of great work has been done in building an integrated experience, but the coupling between nuget and project.json is extremely tight to the extent that it seems like everyone is being forced down this route in the new world of project.json. This is a real shame, because as been pointed out, there are some fundamental differences in opinions of how dependency management should work. I'm not going to rehash them all again because not only are they stated above but also discussed at length in #736. |
|
@davidfowl Please just make the snapshot file happen and everyone is happy again. I only see advantages here:
|
|
@forki You didn't actually answer my question.
Totally doable already with the tech as it exists today. I think there's tons of FUD around this personally because people want it to work a specific way.
There's only Paket and NuGet. I'm trying to understand why you paket needs to fit into project.json land (without a csproj), ms isn't pushing anything. There's a new project system that is integrated with the package manager (just like every most other platforms do, like rust and cargo for e.g.). There's also the existing msbuild project system that is super decoupled and powerful and works with paket already.
Except the point of this project system is to couple package building and producing. Decoupling it is strictly a non-goal. This isn't about trying to block paket from working and there is no evil intent here. The original goal of
That defeats the purpose. If you're not going to use the integrated experience there's no point going to this model.
You are being forced down this route the same way NuGet *forces you to use |
|
@davidfowl ok - perhaps I have massively misunderstood project.json. If I have, that's my bad. My understanding is that project.json is a replacement for e.g. .csproj, but also brings into the game an understanding of packages as well. If so - does that not mean that project.json is about more than just dependency management? And therefore if Paket wanted to go down the road of not using project.json, it would have to redo all the other things that project.json brings to the party. I read that ASP .NET 5 (and UWP?) will use project.json by default. If that is the case, then if you want to use Paket, you need to again go outside the standard route and completely replace the whole system, including any tooling that will be built to work with project.json. If I'm wrong on any of this, please tell me. |
Could you point me to a page/article/post which proves builds are always repeatable with the new project system of yours? That would be great. MS saying it's FUD is nice, but it's nothing more than hearsay ;)
So does this effectively mean: management of the project pipeline is done by your tooling and your tooling alone, doing that through 3rd party tooling is not really recommended/supported? |
project.json is needed to make DNX work though. |
|
What are the cons of implementing the snapshot idea, if any? Seems a great deal of push-back against a request for an open design. |
In UWP applications, there's still a csproj file that handles everything else (compilation, build pipeline etc). Paket still works there. The DNX projects (ASP.NET 5 projects) try to go a step further and make NuGet the only experience. It is coupled on purpose. Projects and packages are one in the same, consuming a package from a "DNX project" is a step away from producing a package with that package as a dependency. In this model, the project.json acts as the As part of that reverse engineering, we needed to be able to express compiler arguments since there was no msbuild to do the compilation (full list here): https://docs.asp.net/en/latest/dnx/projects.html?highlight=working%20dnx |
|
Ok. Thanks for providing that info. I think that there are lots more questions that are coming regarding this e.g. What happens for other project types adopting this in future etc. Just so I understand - UWP projects are potentially doable (effectively packages.config is replaced with project.json). If MSBuild is now NuGet aware, does that suggest that there will be tooling built into e.g. VS in the future will be tied into that as well? ASP .Net 5 projects sound like they won't ever be Paket enabled as they are specifically designed to work with NuGet only. Is that a correct interpretation? If so, then Paket can try to move forward as best as it can to work with as much as possible, where possible. |
... isn't that the core problem? I mean, why is there an inner focused 'our stuff or nothing at all' mentality? Isn't it better to have a dialog about what's needed by 3rd party tooling to work with what's designed for ASPNET so people have choices? |
|
Hmm, I only meant to refer to " (Incidentally, would anyone happen to know where the "NuGet.MsBuild.Integration" package comes from?) |
I don't want to say never because things can always change. If we design some package manager extensibility, it has the fit and gel with the model. We're not going to hack something into the system as a quick way to make paket work. IMO paket was designed to make the pain of NuGet as it existed in a previous form go away. It does a few things in particular very differently to NuGet and there other general things that would need to be fleshed out experience wise to make the tooling work well. The sky is not falling, and we care about F#, that's why this https://github.com/fsprojects/fsharp-dnx/ exists. |
Nobody is in the business of spreading FUD here. I'll refrain from reiterating for the umpteenth time why "doable" does not equate "real". I would love to see an updated nuget design meeting with some of the feedback microsoft provided after august e.g aspnet/dnx#2332 (comment) which has sadly been bumped from rc-1 to the backlog of 1.0. /cc @csharpfritz You mention cargo as an example, I hope you reread its locking section http://doc.crates.io/guide.html#cargotoml-vs-cargolock and at the very very least get rid of the pseudo lock (
The fact you are pushing back so hard on opening up the package manager portion of DNX's project.json reeks of hubris to be honest.
This is the exact sentiment I had hoped we could collectively move away from in the .NET dev'o'sphere. When DNX first started I was over the moon but its become painfully obvious that promise of a new simplified landscape 1+ year ago has turned into the exact opposite. Doing any DNX project will result in xproj/sln/project.json/global.json files littered in your code base. None of the nicely integrated project systems you've mentioned have this. You equate DNX projects with (ASPNET5 projects) but is that really what it comes down to now? a glorified node like run time for web apps? This saddens me deeply, there is some amazing tech in DNX. I'll take cargo as an example again, something is a binary or a lib thats it. This is the same promise I saw with DNX, no more project guids!, DNX even goes out of its way to make everything a lib which I personally do not like but alas. It's clear however it isn't simplifying squat since it has to live in the bigger VS world where we have UWP apps and others where old fashioned csproj files have to be used because really its only serving one use case. None of the other project systems you mentioned have this IDE integration requirement and they are all better for it. Nor do they have alternating project formats based on the type of app being build.
This is all true, you don't need DNX to do CoreCLR. you don't need DNX to do MVC6. Does this mean there is no value for Paket to try and work with DNX? No, for all the bitching I do about the dependency management it really does have a nice project/compilation system, DTH rocks and it for sure will be the defacto platform for 95% of all web apps being written once it GA's. As stated earlier I sincerely hope Microsoft goes all in on DNX for more then aspnet in the future too. If we have to standardize on a project/complication system in the future i personally prefer DNX's project.json over csproj files. |
If we're getting down the facts here are the reason it's FUD:
The reason we don't need this file for repeatable builds is because dependencies don't float. You may disagree with that approach but it works.
Yes. Sadly we have like 1000 other bugs and this one got punted.
It's like me saying that Paket should prefer lower versions. It's a design choice and principle Paket chose and who am I to question it? I can say it's a bad idea but there are reasons behind it. The same way I try to explain why we couple producing and consuming packages but nobody seems to care. They chalk it up to bad layering when in fact the net effect is pretty amazing (we've been living it for the last year).
Not sure I agree. Java has a bunch of IDE specific files when you use eclipse with different types of projects. That's no different from xproj. Also xproj exists for good reason, because we still have to interoperate with msbuild based projects and it gives us an easy way to do that. Global.json also exists for a reason and I don't see it as litter it's actually very intentional. These a files are very nicely integrated into both VS and omnisharp and the end to end experience. It's why you can swap out a package for source so easily, it was carefully designed to allow that. One thing other systems don't have is the concept of "solutions" (aka multi project projects). Go has workspaces and that's the most similar thing I can think of. The other files are unique to the .NET landscape (VS solutions with > 100 projects, potentially unrelated).
I know I love it for that too (that's why we made it). Like I said before though, shoe horning Paket in it's current form doesn't seem like a good solution for me. Can we change Paket to work differently for |
However nuget also allows floating prerelease package reference, so its already broken there. I am scared in time it will also support floating major,minor,patch versions. The GitHub issues asking for it on nuget already exist and who can blame them, having to lookup the latest version is tedious. Choosing lowest also means that nuget favors ignoring patch releases that OSS authors might have issued. There's is nothing inherently safer choosing lowest vs highest, a lock file simply eliminates all doubts no matter what resolution strategy is chosen. I think at this point we need to settle on the fact that we will never agree on this and that is OK, these two camps exist and it'd be nice if both can keep existing 👍 I'll drop the discussion on IDE files etcetera in the interest of staying on topic 🎉
This intrigues me :) What specifc set of changes do you see required for paket to play nicely and not shoehorn its way around DNX? |
I'd say lean on floating versions for your own dependencies (things that you control) and for 3rd party deps, just use the command that updates things.
That's why commnads like
Anyways, this is a philosophical difference we have and I'm not trying to convince you of anything.
Leaving dependencies in project.json as an example. Also potentially declaring dependencies in global.json (this has been requested in the past). Does paket needs it's own file format? What if we can preserve some of the Paket ness without changing the file formats and tooling around that? It's a different tool that has a different algorithm for dependencies but respects the file format as is? |
There's only Paket and Nuget today. In a healthy young ecosystem we should be seeing several more options at least in the near to medium term, with long term convergence towards a smaller number of options as the ecosystem matures and stabilizes. You should be doing everything you can to encourage this exploration.
There's no point in wanting the drastically simplified project management that project.json provides without being forced into the very narrow view of dependency management that Nuget holds? You're right, given the tight coupling that exists today, there is no point; but with just a little bit of looser coupling / extensibility, there would be.
Which is usually the wrong choice. Newer versions have new APIs or bug fixes that I may depend on; choosing the lowest version means those new APIs are unavailable and my build will fail, or worse it won't fail but I am missing some change in the newer version that I need/want. The better choice is to choose the highest version to make sure that all APIs and fixes are available, but WITHOUT changing major versions to avoid introducing breaking changes. If no version is available that satisfies that constraint, automatic dependency resolution should fail, and I should have to resolve it manually.
Packages get removed from feeds all the time for all sorts of reasons. With a lock file, a disappearing package will cause a build failure, which I can then resolve. With DNU, a new version is silently chosen, resulting in non-reproducible builds. This is not FUD; this is fact.
This is flat out wrong, for the reasons that I and many other have stated. If you don't lock your dependencies to exact versions, you cannot guarantee repeatable builds. Period.
Yes, there are IDE specific files for the IDE. The build doesn't need or care or even know about any of them. Do you not understand the enormous value that has? Many developers from the community have come here to express their concerns, explain why the solutions you have designed (mostly in isolation) do not meet their needs, and try to work with you, not only to meet their needs but to expand the community as well. You have responded by being defensive, accusing people of spreading FUD, expressing bewilderment that anyone would gasp want to use a tool other than than what Microsoft has produced, and generally doing everything except listen to the very people you are supposedly designing these solutions for. Your tone has been arrogant, insulting, and indicative of the very closed-minded attitude that Microsoft has spent so much effort trying to convince the community doesn't exist anymore. As someone who has championed .NET for years and has spent the last year telling people who have long since given up on Microsoft that now is the time to give it another chance, watching this "conversation" (and the others related to it) has gone from upsetting to infuriating to defeating. What am I supposed to tell people who read these conversations and see Microsoft so stalwartly committed to defending the choices they have made behind closed doors, regardless of any argument or evidence, instead of engaging with and learning from - yes, learning from - the community that is their lifeblood? I feel like so much more needs to be said, but I don't have the words... |
Missing the point completely, you still have no repeatable builds for the floating versions you control.
Sure but I'm more talking about greenfield deps. with paket I simply state the nuget id and then where I want to reference it,
It's just you because you have no lock file to go back to :D
Not a fair statement, I am not the one in a particular position that needs convincing. For what its worth neither am I though, i just want to keep stressing choice is good.
I don't want to speak for @forki but I think this was the first approach he explored. From a usability perspective it'll be unpleasant though since VS will kick off restores differently then paket would do. I would love to hear why you feel this proposed solution doesn't gel. |
That's not correct. Here are 3 scenarios:
http://fsprojects.github.io/Paket/nuget-dependencies.html#Strategy-modifiers |
Agree to disagree. There's no point arguing this. It's something we'll NEVER see eye to eye on. I respect each of the tools does things differently for different reasons.
See my above answer.
Nothing solves that besides an artifact repository, your own nuget feed or checking in the packages. A file with a list of versions can't repeat a build if the packages don't exist in the feed.
Who said the build needs them. I specifically called out msbuild interop as a reason for having those files. Also as a project system existing in VS, it's also required for solution builds inside of that tool.
I'm sorry you feel that way. I'm not trying to be closed minded at all, I've even used paket myself before and during the development of the DNX project system. What I've been trying extremely hard to do is explain the how and why things work the way they do without emotion in a way that just discusses the facts. I've even said that we'd be willing to look at solution that potentially would require changes to Paket so that it fits more with the other solution. I actually don't think things are as bad as people are making it seem. |
Unlisting doesn't affect nuget3 or dnu's dependency resolution behavior. It did with NuGet v2 it doesn't with v3.
That feature does exist (unfortunately) and I agree to make it work "well" you'd need a lock file or sorts. I think that only proves my point though. |
What? ;-) Don't you think this is a bug in the resolver? If I unlist a package I want people to not use it. But I want still reproducible builds. That's why it was invented and NuGet didn't just delete the packages. |
|
anyways.
I don't think Paket needs it's own file format just to have it's own file format. Actually I hope we can settle on something that work for everybody. But having versions in the project.lock is very unfortunate for use. The main reason is that we change these versions a lot during updates and we can't gitignore a single block in a file. Paket always tries to have a global view so it doesn't make sense to manage dependency versions on te project level (we would introduce the possibility of version conflicts). That's basically the whole issue. I could already have started and generate the dependencies block, but it doesn't feel right. Also generating the |
|
Maybe just keep in mind: project.json is not the only way of building libraries/dnx stuff. csproj stuff will stay, so keep calm. |
|
@GerjanOnline From a consumer point of view, Paket has as much to do with F# as JSON .NET has to do with C#, if not less i.e. yes it is written in F# - and is used by a lot of the F# community - but it works just as well for C# and VB .NET projects. So I think the issues here are not about the F# language or community as such, as Paket is used by e.g. C# developers as well. I agree though the atmosphere is unpleasant and not at all what I'm used it in my experiences of working in open source projects in the .NET space. |
|
@robertmuehsig @isaacabraham Got it, sorry for that. I just hope I can use Paket for my future projects like asp.net 5/DNX and I'm seeing a lot of negative comments/tension |
|
I'm not happy with how things escalated here. Until things have clamed down I close this and #736 as "won't fix". |
|
Hmm, I only meant to refer to " And I certainly didn't mean to start a flame war. (Incidentally, would anyone happen to know where the "NuGet.MsBuild.Integration" package comes from?) |
|
I have a C# .NET service. It uses paket, which I have been very, very happy with. I just googled paket CoreClr to investigate what is required to port my service to CoreClr and I have to say this thread is thoroughly depressing and aggressive in tone. This thread is a massive, massive turn off to CoreClr and to .NET OSS / ecosystem in general. I really hope this is a temporary blip and not a mask slipping. Frankly it's embarrasing to read. |
|
Have things improved over the last 4 months? |
|
no comment |
|
Does anything change now that project.json is out of the picture? |
|
That's not clear yet. But maybe we got a new chance for cooperation. Does anything change now that project.json is out of the picture? — |
|
@HoraceGonzalez to answer "how it stacks up against NuGet.exe", see https://github.com/dotnet/cli/issues/3123 which is an "indepedantly" funded investigation on the matter 😄 |
I notice that the Paket website/documentaton doesn't make any mention of
project.jsonProject.json Intro, which for NuGet's purposes basically replacespackage.config(in participating projects), with a few differences:project.jsondoes not bake in transitive dependencies; instead, these are resolved during package restore and written into a lockfile. (This should sound familiar.)project.json, NuGet does not modify project files during package "install" or restore (Except ifproject.jsonis the project file, like for ASP.NET 5, though reportedly NuGet is not actually used for ASP.NET 5?)Instead, the build system is supposed to pick up references from the lockfile,
project.lock.json.project.jsonyet.And that's just the things that NuGet 3 doesn't do anymore with
project.json; there are also some new features, too.It would be nice if you'd talk about the extent to which the advantages that you mention Paket has over
packages.configalso apply toproject.json, whether any new advantages have cropped up, and (god forbid!) any advantagesproject.jsonmight have at the moment.Docs
The NuGet documentation includes these pages about
project.json:The text was updated successfully, but these errors were encountered: