Online Package Manager

[lainz]

Hi wp, is a good idea to add comments.

Maybe we can use any third party comment system like Facebook or Disqus. Just an unique ID is required for that to work properly.

Edit: i've used Facebook comments in the past, and it has no ads. Disqus "free" has ads.

[balazsszekely]

@wp

I have a problem here...  What is an "orphaned" package? When does it become like this? Who decides this?

OK. Fair enough. Perhaps we can change "orphaned" to something else. The idea is to somehow tag those packages that are no longer maintained. Let's say if the author did not modify the package for five years? A lot of user suggested the idea that an unmaintained/broken packages can be picked up by somebody else(see comment by TRon: https://forum.lazarus.freepascal.org/index.php/topic,34297.msg368200.html#msg368200)

I worry about old packages, well written in a way which is not affected by recent changes in FPC or Lazarus.

Look at DCPCrypt, used by many programs. On the site referred to by OPM, I can read: "DCPcrypt has finally been retired (except for the versions above). I’ve been developing it since 1999 and from 2007 (or so) it has been developing code rot as I’ve not had time to update it." As fas as I know, there is no maintainer for Lazarus. So, is it orphaned? I would say so. But "orphaned" means to many users: "Keep your hands off of this!" But I would say: no, absolutely no - it is an excellent package.

Instead of "orphaned" I'd prefer a line "Date of last update" in the package description, in additon to "Available since...". I agree that DCPCrypt will have a poor standing here too, but now there is an objective criterion for the maintainance level which can even be automated.

There is a rating system in OPM, that would solve the issue. For now it only works locally. We should create a database(https://packages.lazarus-ide.org/) and implement a login system, where each users can vote once. Unfortunately I did not have enough time to implement it. A five star package, is an excellent package, even if orphaned. More over we also have a "Community description" node, where everyone can add a comment(attachment). We can also give more detailed info there. 

We have an online version of OPM at https://packages.lazarus-ide.org/. Would it be possible to add a user comment field to each package? This way a new user could read the comments and could decide on his own whether this package would be worth trying out.

That page was created by @lainz, the information is read from the main json.



@lainz

Maybe we can use any third party comment system like Facebook or Disqus. Just an unique ID is required for that to work properly.

I'm not against it, but first we should create a database, and read the data from there instead from the json. 

[lainz]

So the database and the application to access it from the server. I've not done that by myself yet, at work using existing database and application. Yes I've expanded the database, created new endpoints in the application but not configured it from the ground.

[balazsszekely]

@lainz

So the database and the application to access it from the server. I've not done that by myself yet, at work using existing database and application. Yes I've expanded the database, created new endpoints in the application but not configured it from the ground.

Yes. But there are some limitation. The site admin prefers Postgre as database server. For security reasons OPM can only connect to the database via a console application running on the server. 

We should also create a web interface where package maintainers can logon and upload their packages/ vote. I will have to rewrite a significant part of OPM, because now the whole system is based on the main json. So a lot of work .

[lainz]

@lainz

So the database and the application to access it from the server. I've not done that by myself yet, at work using existing database and application. Yes I've expanded the database, created new endpoints in the application but not configured it from the ground.

Yes. But there are some limitation. The site admin prefers Postgre as database server. For security reasons OPM can only connect to the database via a console application running on the server. 

We should also create a web interface where package maintainers can logon and upload their packages/ vote. I will have to rewrite a significant part of OPM, because now the whole system is based on the main json. So a lot of work .

Ok, I'm using postgres, so I know how to use it. About the console application, I've coded some endpoints in pascal as well, I can't remember wich tools used but is just like do the query to the database and return as json.

About the main json, maybe an endpoint called main.json will do the trick  Like it generates the json file with all the packages. Of couse is not optimal because it needs to download a huge file, but maybe adding some pagination will do.

And web interfaces is what I do most of the time, so I can help, but we need to organize in some way. 

Edit: of course is a lot of work and maybe you as me want to take weekends for fun not to keep coding like in the whole week 

[TRon]

@wp

I have a problem here...  What is an "orphaned" package? When does it become like this? Who decides this?

OK. Fair enough. Perhaps we can change "orphaned" to something else. The idea is to somehow tag those packages that are no longer maintained. Let's say if the author did not modify the package for five years? A lot of user suggested the idea that an unmaintained/broken packages can be picked up by somebody else(see comment by TRon: https://forum.lazarus.freepascal.org/index.php/topic,34297.msg368200.html#msg368200)

Indeed. A package that hasn't been updated for 5 years or sometimes even longer does not necessarly means it is orphaned and/or unsupported. In fact there are plenty of such libraries that works perfectly after so many years.

However, and I express it gladly again, my main concern is/was about packages that are indeed abandoned, then somehow ended up in OPM _and_ doing so by using different source-code.

It seems perfectly fine for blissfully unaware reactors to point me to how FOSS works (which, for these kind of things doesn't btw) but the above situation, for me personally, is a complete no-no.

Either you use the original sources that are abandoned (and perhaps not work) or you take over the project so that you are able to make changes to the original project and allow for others to take note of that.

Simply making changes to an abandoned project to make it work, adding it to OPM and then pointing towards the original repo/author, crossing fingers no-one will ever notice is just plain rude to everybody except for the one making use of these kind of tactics.

In such situation an (OPM) package should simply mention that fact and/or explicitly not pointing towards the original author and/or original repo.

I have spend 3 freakin' days ploughing my way through the forums here, reading post by post going back year by year, in the hopes to locate even a glimpse of someone mentioning that a particular package has been modified, but was unable to find any evidence of it.

How FOSSY is that ? 

[lainz]

I think we're thinking about OPM in his current stage, not in his 'mature' form.

If we will add support to anyone registered in the OPM website to add packages in the future, what prevents that me or anyone else fork and publish any kind of projects, even abandoned projects or 1 line of code projects, empty packages and so on?

If we keep thinking that GetMem will do all the job, everything is up to him finally don't you think that?

If the website will have a package asociated with an author, that doesn't add the relationship of maintainer of the package? Let's say we start adding all packages to GetMem, as new members register they can take his projects. Finally the projects that are still owned by GetMem are the 'not maintained' by his original author at least.

[TRon]

@lainz:
Was that reply #1896 meant as a direct reaction to my post #1895 perhaps ?

[lainz]

@lainz:
Was that reply #1896 meant as a direct reaction to my post #1895 perhaps ?

Inspired, but not directly. I mean I take this as a discussion to know what will be done or not.

I'm following the discussion only, not to attack someone response, trying to keep it friendly as well 

Edit: sorry if it sound that was like a direct response, or if I offended you in some way. The idea is to keep this friendly.

[TRon]

Inspired, but not directly. I mean I take this as a discussion to know what will be done or not.

Edit: sorry if it sound that was like a direct response, or if I offended you in some way. The idea is to keep this friendly.

Because I wasn't sure if you were directly responding to my post, thought to ask instead in order to avoid confusion.

Because now that you aren't, I can delete my ranting reply that I wanted to post and try another approach 

[lainz]

Inspired, but not directly. I mean I take this as a discussion to know what will be done or not.

Edit: sorry if it sound that was like a direct response, or if I offended you in some way. The idea is to keep this friendly.

Because I wasn't sure if you were directly responding to my post, thought to ask instead in order to avoid confusion.

Because now that you aren't, I can delete my ranting reply that I wanted to post and try another approach 

Ok.. I mean maybe the confusion was the part that says "don't you think?". I'm not native english speaker, so I don't know how to say that to anyone instead of using the 'you'. That you was meant to anyone, not specifically the previous post.

And well feel free to criticize my response anyways. The idea is to get the best solution I think, no one will have the right answer at the first, not even me or you or anyone. For that is the discussion forum.

[lainz]

Indeed. A package that hasn't been updated for 5 years or sometimes even longer does not necessarly means it is orphaned and/or unsupported. In fact there are plenty of such libraries that works perfectly after so many years.

However, and I express it gladly again, my main concern is/was about packages that are indeed abandoned, then somehow ended up in OPM _and_ doing so by using different source-code.

It seems perfectly fine for blissfully unaware reactors to point me to how FOSS works (which, for these kind of things doesn't btw) but the above situation, for me personally, is a complete no-no.

Either you use the original sources that are abandoned (and perhaps not work) or you take over the project so that you are able to make changes to the original project and allow for others to take note of that.

Simply making changes to an abandoned project to make it work, adding it to OPM and then pointing towards the original repo/author, crossing fingers no-one will ever notice is just plain rude to everybody except for the one making use of these kind of tactics.

In such situation an (OPM) package should simply mention that fact and/or explicitly not pointing towards the original author and/or original repo.

I have spend 3 freakin' days ploughing my way through the forums here, reading post by post going back year by year, in the hopes to locate even a glimpse of someone mentioning that a particular package has been modified, but was unable to find any evidence of it.

How FOSSY is that ? 

This is a direct reply indeed =)

I can agree with you, I hope that some day will be more forks of the projects, more contributions that are ported back to the original package, if still alive, and if not why not maintain a fork or become a maintainer, I personally seen projects like for example the user @wp is doing or @Avra, that are working with sources of codetyphoon porting back to lazarus or porting delphi packages. I think is a good idea.

I have a list of all the people that contributed to BGRAControls, first Dibo the original author, then Circular, and me. And a lot of people over the years, they are properly credited in the readme file. So I wish all projects that luck I had with this open source project. I know not all projects are really contributed by the community, and are just single man tools.

Another project is JsonTools, I have a fork for personal usage, but is not listed in OPM, so I need to include that file in my project instead of installing it from OPM. Mostly bugfixes that are added by some users in the official project GitHub page. Now the project is "abandoned" despite it works faster than the FPC json units... so I can get the idea of that abandoned projects don't mean that are bad.

[TRon]

Ok.. I mean maybe the confusion was the part that says "don't you think?".

Well, that and some other small things that initially lead me to believe you were directly responding to my post. Only some things didn't made any sense in the context of my post.

I'm not native english speaker, so I don't know how to say that to anyone instead of using the 'you'. That you was meant to anyone, not specifically the previous post.

No problem, I think you are perfectly fine expressing yourself in English, and when in doubt we can ask  . My native tongue also isn't English...

And well feel free to criticize my response anyways. The idea is to get the best solution I think, no one will have the right answer at the first, not even me or you or anyone. For that is the discussion forum.

Oh, I am sure we do not have the solution. Especially when it comes to the best solution for GetMem.

Each and every time I come up with something then it does seem to require some form of moderation/verification. I believe it just comes with the territory and that there is no other way around it.

edit: typos removed

[lainz]

Oh, I am sure we do not have the solution. Especially when it comes to the best solution for GetMem.

Each and every time I come up with something then it does seem to require some form of moderation/verification. I believe it just comes with the territory and that there is no other way around it.

Yes, take as example the javascript npm repository, when virus can take your entire project. For that is I think was decided the current form where a single person maintains it (OPM).

Yes you need to pay moderators if you want a person looking for virus or spam all day 

[TRon]

If we will add support to anyone registered in the OPM website to add packages in the future, what prevents that me or anyone else fork and publish any kind of projects, even abandoned projects or 1 line of code projects, empty packages and so on?

For sure that could pose a problem.

However, and please correct me if wrong, there would also be a supervisor/admin (or other trusted member(s)) that has/have the capability of noticing such attempts and block the account.

How does this work with access to Free Pascal sources ? Am I able to apply for access ? If I am, am I then granted access to the core components right from the start ?

There would be something serious wrong, in case I could (I would create havoc there, intended or not  )

Usually in such cases you are only granted access to particular parts of the source-tree (if at all) after some form of validation process.

Of course, even then things could go wrong in case of a serious dispute between people.

If we keep thinking that GetMem will do all the job, everything is up to him finally don't you think that?

Personaly I would like to see a solution where getmem is able to deligate most if his current work, preferably in a safe manner. At least to a degree where he is able to feel comfortable.

If the website will have a package asociated with an author, that doesn't add the relationship of maintainer of the package?

The author should be the one that authored the code. Of course this doesn't necessarily mean that the author is the maintainer (although in my book it is, otherwise don't supply the package for OPM in case you are not willing to be so).

You can see that in the example of benibela's internet-tools. He is the actual author of the used code, but as far as I am able to tell he has nothing to do with the packages that is/was present in OPM.

That is a big concern because of the following reasons:
- code used for the OPM package is not available (anymore), e.g. modified source-code
- original developer isn't responsible for the state of the OPM package and in this case doesn't even has any knowledge it was part of OPM.

Despite that the package happily pointed the user to the original repo and original developer, misleading me as end-user in the process.

Let's say we start adding all packages to GetMem, as new members register they can take his projects. Finally the projects that are still owned by GetMem are the 'not maintained' by his original author at least.

Well, GetMem mentioned not wanting to go through the complete list of packages in order to determine the abandoned ones.

I understand that perfectly.

I made some small steps in going through the list and see if the source in OPM matches those of the original project repo/author and it is tedious to do so.