On Friday, June 19, 2020 at 3:36:55 PM UTC-4, Hendrik Boom wrote: > > On Fri, Jun 19, 2020 at 07:54:29AM -0700, Brian Adkins wrote: > > On Friday, June 19, 2020 at 8:09:04 AM UTC-4, Neil Van Dyke wrote: > > > > > > For an important production system, you probably want the source of > any > > > third-party packages on which you depend to be in Git (or another SCM > > > system) that you control. > > > > > > You might also want to audit those packages yourself, as well as audit > > > any new version changes to them, before you push to production. > > > > > > After you do those things in SCM, depending how you do it, you *might* > > > find it's more convenient to simply load the third-party code you need > > > using the module system `require` only, without an additional package > > > system. > > > > > > > While I see some benefits of this approach, I just looked at a typical > > Rails project of mine, and it has over 160 packages with some packages > > depending on different versions of other packages, etc., so I think > > managing all of this myself in git might be overly burdensome. Granted, > my > > current Racket apps have far fewer dependencies, but I expect that may > > increase over time. > > If you want to avoid problems with software you use changing > unpredictably, you will have to have use your own copy that does not > change at all. > > I don't see another alternative if your upstream source might change at > any time. > > And you will likely have to vet any chaanges that appear upstream in > case they actually do fix security-related issues that might already > be affect you. It will be up to you to determine the risks of leaving > your local copy unchanged. >
I'm hoping the main scenario I'm concerned about (a bug is introduced in an update of a package) is rare, although that's exactly what motivated Alex to create his system. If it is a rare scenario for me, then I'd like to do the following: 1) Develop & test locally while updating packages as needed 2) Prior to releasing to production, so *something* that effectively snapshots my environment 3) Use the snapshot to deploy to production Although I have some ideas about the "something" task, I still have to finalize the procedure and try it out. One option is to simply use a racksnap snapshot. What I'd like to do is to create a personal catalog that represents the packages I currently have installed, but it doesn't appear there's a super easy `raco pkg` command to do that - I still need to research a bit. Either there is a command, or it seems like a relatively straightforward thing to add. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/65039c0a-a001-46f6-af24-a9321a5750bao%40googlegroups.com.
