Hacker News new | ask | show | jobs
by encloser 4140 days ago
Using source repositories as packages sounds like an awful idea. Not only do you have to deal with runtime dependencies, but also compile, test, and other dependencies. What happens if the tags are not numbers? What if a tag you are using is deleted?

Go ask the Erlang community about the issues they have with using GitHub repos as "packages". Here is a discussion about packaging: http://mostlyerlang.com/2015/01/27/054-packages/
3 comments
bjfish 4140 days ago
I think you might be misunderstanding how this service works.

The Github repositories don't serve the packages.

Jitpack checkouts the repository code, builds it, and serves it like a normal maven repository. Here is a sample repository https://github.com/jitpack/maven-simple and the maven repository it is served from: https://jitpack.io/com/github/jitpack/maven-simple/0.1/maven...

link
encloser 4140 days ago
I got that it is building a binary and basically placing it in a local repo. I also get that it is looking for a binary from a GitHub Release first, which is mildly better.

I still think solutions like this are putting your build process at great risk. You will have build issues that are no fault of your own and completely out of your control. Unless you clone the github repository and then use that as your source. And cloning will have issues and risks of its own.

EDIT: See pron's reply for describing the risks: https://news.ycombinator.com/item?id=9029870

link
jitpack 4140 days ago
That's correct
link
jitpack 4139 days ago
Thanks for the feedback and its good to hear your concerns. Yes, you can use strings as tags but we recommend using Semantic Versioning just as GitHub recommends for Releases [1]. At some point we may choose to only build tags that match semantic versioning, to be decided. Unlike using just GitHub as source repositories we have some over what we serve and that's the difference.

If you make a conscious decision to release, add release notes and a tag why would you delete it? Especially if you want others to use your project. Its just not part of usual release workflow. Right now you can still get the binary for a tag that has been deleted because we cache it. We will probably add restrictions to prevent building another binary with the same tag.

[1] https://github.com/blog/1547-release-your-software

link
NeutronBoy 4139 days ago
See @vathpela

https://twitter.com/vathpela/status/563808697151803392 "Apparently Intel's Galileo build scripts that they distribute to users just clone my damn grub-0.97 repo off github."

https://twitter.com/vathpela/status/563808755213557761 "Which isn't a thing I knew when I deleted it Tuesday." "

link