[Koha-devel] Adopting CPAN and Carton
dcook at prosentient.com.au
dcook at prosentient.com.au
Thu Jun 11 01:59:15 CEST 2020
Sourcing Perl dependencies via Debian's Apt repositories or embedded CPAN dependencies wouldn't affect your "aptitude update/upgrade", as Koha would've been tested ahead of time before being released.
Perl and npm are apples and oranges. Perl is to Node.js as carton is to npm. There are good and bad packages in both ecosystems.
But Debian Perl package maintainers are very useful. My favourite example is HTTP::OAI. Tim Brody's HTTP::OAI version 4.03 on CPAN was broken. The version in Debian stayed on 3.27 for a while, and then when 4.03+ was added to Debian, it included patches from a Debian package maintainer. (Actually, looking at CPAN now, it seems like someone else has also finally taken over HTTP::OAI from Tim Brody, which is promising.)
If we didn't use Debian packages, I suppose we would've stayed at 3.27 until the CPAN version was fixed.
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899
Online: 02 8005 0595
-----Original Message-----
From: Koha-devel <koha-devel-bounces at lists.koha-community.org> On Behalf Of Mike Lake
Sent: Wednesday, 10 June 2020 6:04 PM
To: koha-devel at lists.koha-community.org
Subject: Re: [Koha-devel] Adopting CPAN and Carton
Plus for Chris's view on this.
As a sys admin that maintains a Koha for an org I want to be able to "aptitude update/upgrade" without problems and do a future dist-upgrade with few problems.
Perl is pretty stable (vastly stable compared to npn packages) but there are occasionally patches that come through. It's preferable for a Debian Perl package maintainer to manage that I think.
Mike
---
Mike Lake
On 2020-06-10 17:49, Chris Cormack wrote:
> Hi all
>
> Just want to put on record my thoughts that replacing the package
> architecture with carton or cpan seems like a bad idea.
> The main benefit of using modules packaged and tested by debian
> developers is that is a whole lot of work we don't have to do. It
> comes under the debian perl (who have massive combined knowledge) and
> the debian security team.
> If we are going to move away from that someone is going to be needing
> to follow all the security advisories for all the perl modules we use
> (must be a hundred or so) and deal with that. It also makes OS
> udgrades harder.
>
> I'm not opposed to having them as an option but replacing the packages
> with them seems like a step into the utter chaos that is things like
> npm and the node world.
>
> Chris
_______________________________________________
Koha-devel mailing list
Koha-devel at lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20200611/b7c05b4f/attachment.sig>
More information about the Koha-devel
mailing list