[Koha-devel] Adopting CPAN and Carton

Renvoize, Martin martin.renvoize at ptfs-europe.com
Mon Jun 15 12:59:00 CEST 2020 

A couple of things

1) You can already test koha using all the latest Perl dependencies from
cpan using koha-testing-docker (Just set CPAN=1 in your environment before
calling ku).. and I set this to run periodically on Jenkins
2) Carton takes snapshots to 'fix' your dependencies at specific versions..
all Perl dependencies, not just those you list in the cpanfile.. The idea
is you use carton to ensure you match exactly what other developers are
using, and track that list in git so you can upgrade on mass.

I can see arguments for both cases.  I argued against using Mojolicious and
the OpenAPI plugin at the time because I knew the projects well and they
are fast-moving and as such being 'stuck' on the Debian packages or stuck
maintaining our own Debian packages is forever a challenge (and I've been
proved right on that count a few times now).

Just my two pence to add to the conversation.


*Martin Renvoize*

<https://www.ptfs-europe.com>

Development Team Manager

Community Release Manager (19.11, 20.05)


*Phone:* +44 (0) 1483 378728

*Mobile:* +44 (0) 7725 985 636

*Email:* martin.renvoize at ptfs-europe.com

*Fax:* +44 (0) 800 756 6384


www.ptfs-europe.com







Registered in the United Kingdom No. 06416372   VAT Reg No. 925 7211 30

The information contained in this email message may be privileged,
confidential and protected from disclosure. If you are not the intended
recipient, any dissemination, distribution or copying is strictly
prohibited. If you think that you have received this email message in
error, please email the sender at info at ptfs-europe.com




On Thu, 11 Jun 2020 at 00:59, <dcook at prosentient.com.au> wrote:

> Sourcing Perl dependencies via Debian's Apt repositories or embedded CPAN
> dependencies wouldn't affect your "aptitude update/upgrade", as Koha
> would've been tested ahead of time before being released.
>
> Perl and npm are apples and oranges. Perl is to Node.js as carton is to
> npm. There are good and bad packages in both ecosystems.
>
> But Debian Perl package maintainers are very useful. My favourite example
> is HTTP::OAI. Tim Brody's HTTP::OAI version 4.03 on CPAN was broken. The
> version in Debian stayed on 3.27 for a while, and then when 4.03+ was added
> to Debian, it included patches from a Debian package maintainer. (Actually,
> looking at CPAN now, it seems like someone else has also finally taken over
> HTTP::OAI from Tim Brody, which is promising.)
>
> If we didn't use Debian packages, I suppose we would've stayed at 3.27
> until the CPAN version was fixed.
>
> David Cook
> Systems Librarian
> Prosentient Systems
> 72/330 Wattle St
> Ultimo, NSW 2007
> Australia
>
> Office: 02 9212 0899
> Online: 02 8005 0595
>
> -----Original Message-----
> From: Koha-devel <koha-devel-bounces at lists.koha-community.org> On Behalf
> Of Mike Lake
> Sent: Wednesday, 10 June 2020 6:04 PM
> To: koha-devel at lists.koha-community.org
> Subject: Re: [Koha-devel] Adopting CPAN and Carton
>
> Plus for Chris's view on this.
>
> As a sys admin that maintains a Koha for an org I want to be able to
> "aptitude update/upgrade" without problems and do a future dist-upgrade
> with few problems.
>
> Perl is pretty stable (vastly stable compared to npn packages) but there
> are occasionally patches that come through. It's preferable for a Debian
> Perl package maintainer to manage that I think.
>
> Mike
> ---
> Mike Lake
>
> On 2020-06-10 17:49, Chris Cormack wrote:
> > Hi all
> >
> > Just want to put on record my thoughts that replacing the package
> > architecture with carton or cpan seems like a bad idea.
> > The main benefit of using modules packaged and tested by debian
> > developers is that is a whole lot of work we don't have to do. It
> > comes under the debian perl (who have massive combined knowledge) and
> > the debian security team.
> > If we are going to move away from that someone is going to be needing
> > to follow all the security advisories for all the perl modules we use
> > (must be a hundred or so) and deal with that. It also makes OS
> > udgrades harder.
> >
> > I'm not opposed to having them as an option but replacing the packages
> > with them seems like a step into the utter chaos that is things like
> > npm and the node world.
> >
> > Chris
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/ git :
> http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20200615/37d12360/attachment.htm>

More information about the Koha-devel mailing list