New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provide a author-independent download link #835

Open
daxim opened this Issue May 6, 2013 · 13 comments

Comments

Projects
None yet
9 participants
@daxim

daxim commented May 6, 2013

Provide a distribution download link that includes the version, but excludes the author/release manager PAUSE id. This is important for packaging. Example: the current link to DBIx-Class is http://cpan.metacpan.org/authors/id/R/RI/RIBASUSHI/DBIx-Class-0.08250.tar.gz. A corresponding specfile says Source: http://cpan.metacpan.org/authors/id/R/RI/RIBASUSHI/DBIx-Class-%{version}.tar.gz. When the release manager changes, the specfile breaks for no good reason and always needs a manual fix-up.

@metacpan-user

This comment has been minimized.

Show comment
Hide comment
@metacpan-user

metacpan-user May 6, 2013

I think that's an issue with the toolchain on the specfile side. The file has to be recreated anyway if the abstract changes or the license, or whatever metadata is included in the specfile.
Furthermore, the release is not unique, it only becomes unique in combination with the author.

metacpan-user commented May 6, 2013

I think that's an issue with the toolchain on the specfile side. The file has to be recreated anyway if the abstract changes or the license, or whatever metadata is included in the specfile.
Furthermore, the release is not unique, it only becomes unique in combination with the author.

@monken

This comment has been minimized.

Show comment
Hide comment
@monken

monken May 6, 2013

Member

^^ that was me :)

Member

monken commented May 6, 2013

^^ that was me :)

@daxim

This comment has been minimized.

Show comment
Hide comment
@daxim

daxim May 7, 2013

You cannot compare a change of abstract or licence with a change of author/release manager.

The former happens rarely enough, and these are actually important metadata. A packager is happy to accomodate that change.

The latter, however, is totally spurious. This metadatum is not used at all in specfiles, but nevertheless changes all the time the templated permalink (Source). All this does is create version control churn and manual fixing labour for no good reason. No other software archive does that, they all use straightforward, reasonably predictable URLs along the likeness of http://example.org/releases/foo-bar-%{version}.tar.xz which remain stable most of the time.

A distro name and version is unique, the author does not enter into it. PAUSE enforces that every distro must have a version, and that the version is not reused. Correct me if I'm wrong.

daxim commented May 7, 2013

You cannot compare a change of abstract or licence with a change of author/release manager.

The former happens rarely enough, and these are actually important metadata. A packager is happy to accomodate that change.

The latter, however, is totally spurious. This metadatum is not used at all in specfiles, but nevertheless changes all the time the templated permalink (Source). All this does is create version control churn and manual fixing labour for no good reason. No other software archive does that, they all use straightforward, reasonably predictable URLs along the likeness of http://example.org/releases/foo-bar-%{version}.tar.xz which remain stable most of the time.

A distro name and version is unique, the author does not enter into it. PAUSE enforces that every distro must have a version, and that the version is not reused. Correct me if I'm wrong.

@rwstauner

This comment has been minimized.

Show comment
Hide comment
@rwstauner

rwstauner May 7, 2013

Member

To be accurate, what PAUSE enforces is that file names are unique per author with the exception of files that count as documentation. For consistency and sanity it is suggested that you simply append a version to other files (in order to make them unique). Additionally PAUSE doesn't currently care about distribution names (it just unpacks them and parses what's inside). There is nothing that restricts two authors from uploading the same foo-bar-0.1.tar.gz. See also #797.

The URL is predictable so if your specfile can dynamically include the version perhaps you could dynamically include the release managers's PAUSE id? ;-)
That would work more consistently with the current toolchain/ecosystem.

Member

rwstauner commented May 7, 2013

To be accurate, what PAUSE enforces is that file names are unique per author with the exception of files that count as documentation. For consistency and sanity it is suggested that you simply append a version to other files (in order to make them unique). Additionally PAUSE doesn't currently care about distribution names (it just unpacks them and parses what's inside). There is nothing that restricts two authors from uploading the same foo-bar-0.1.tar.gz. See also #797.

The URL is predictable so if your specfile can dynamically include the version perhaps you could dynamically include the release managers's PAUSE id? ;-)
That would work more consistently with the current toolchain/ecosystem.

@daxim

This comment has been minimized.

Show comment
Hide comment
@daxim

daxim May 7, 2013

Discussion in #metacpan opens out into a proposed trial of providing permalinks from a (main) module name + version, not distro name. haarg mentions that cpanm resolves Module::Name@version to a tarball distname. Volunteer needed.

daxim commented May 7, 2013

Discussion in #metacpan opens out into a proposed trial of providing permalinks from a (main) module name + version, not distro name. haarg mentions that cpanm resolves Module::Name@version to a tarball distname. Volunteer needed.

@jquelin

This comment has been minimized.

Show comment
Hide comment
@jquelin

jquelin Feb 18, 2014

That would be awesome to have this kind of author-independent url available in metacpan.
This would allow us to update the download link in our RPM (speaking for Mageia).

jquelin commented Feb 18, 2014

That would be awesome to have this kind of author-independent url available in metacpan.
This would allow us to update the download link in our RPM (speaking for Mageia).

@rwstauner

This comment has been minimized.

Show comment
Hide comment
@rwstauner

rwstauner Mar 17, 2014

Member

The implementation of this would be fairly simple (provide an endpoint that looks for the latest dist and then just redirect to the download url) but the main issue is obviously that this suffers from issues like #796 and #797 (that dist names are not currently unique/reliable/guaranteed).

Member

rwstauner commented Mar 17, 2014

The implementation of this would be fairly simple (provide an endpoint that looks for the latest dist and then just redirect to the download url) but the main issue is obviously that this suffers from issues like #796 and #797 (that dist names are not currently unique/reliable/guaranteed).

@ribasushi

This comment has been minimized.

Show comment
Hide comment
@ribasushi

ribasushi Apr 12, 2014

@shadowcat-mdk This issue is why we can't have nice things ;)

ribasushi commented Apr 12, 2014

@shadowcat-mdk This issue is why we can't have nice things ;)

@tsibley

This comment has been minimized.

Show comment
Hide comment
@tsibley

tsibley Apr 13, 2014

Member

As of the Lyon QA Hackathon a month ago, PAUSE now enforces that the distribution name map to a contained package name on which the author has permissions, otherwise PAUSE won't index it.

Member

tsibley commented Apr 13, 2014

As of the Lyon QA Hackathon a month ago, PAUSE now enforces that the distribution name map to a contained package name on which the author has permissions, otherwise PAUSE won't index it.

@oalders

This comment has been minimized.

Show comment
Hide comment
@oalders
Member

oalders commented Aug 26, 2017

@daxim does this endpoint cover your needs? http://fastapi.metacpan.org/v1/download_url/Plack

@daxim

This comment has been minimized.

Show comment
Hide comment
@daxim

daxim Aug 28, 2017

@oalders: Nope, it doesn't.

  1. http://fastapi.metacpan.org/v1/download_url/DBIx-Class returns status 404. I didn't try any other dist/package name.
  2. The design is wrong for the use case. It says download_url in the URI, but instead of the correct-for-HTTP semantics status 307 and header Location, I get a non-interoperable JSON document. (This is poor design in itself, independent from the problem discussed in this bug. You - as in the designers of this interface - don't have the power to imbue a dumb serialisation with semantics on top. I mean, a human can see that this is supposed to be a hyperlink and special case a user-agent to follow your singular use invention, which leads to anti-Web software with unnecessarily tight coupling and brittle code that breaks easily, but a machine draws a blank here. The correct way to design this is to upgrade to a document format with standardised hypermedia controls, if you insist on JSON, try HAL, or use Link headers. In any case, the link relation cannot be a word.)

daxim commented Aug 28, 2017

@oalders: Nope, it doesn't.

  1. http://fastapi.metacpan.org/v1/download_url/DBIx-Class returns status 404. I didn't try any other dist/package name.
  2. The design is wrong for the use case. It says download_url in the URI, but instead of the correct-for-HTTP semantics status 307 and header Location, I get a non-interoperable JSON document. (This is poor design in itself, independent from the problem discussed in this bug. You - as in the designers of this interface - don't have the power to imbue a dumb serialisation with semantics on top. I mean, a human can see that this is supposed to be a hyperlink and special case a user-agent to follow your singular use invention, which leads to anti-Web software with unnecessarily tight coupling and brittle code that breaks easily, but a machine draws a blank here. The correct way to design this is to upgrade to a document format with standardised hypermedia controls, if you insist on JSON, try HAL, or use Link headers. In any case, the link relation cannot be a word.)
@mickeyn

This comment has been minimized.

Show comment
Hide comment
@mickeyn

mickeyn Aug 28, 2017

Contributor

@daxim the download_url endpoint takes a package name -
http://fastapi.metacpan.org/v1/download_url/DBIx::Class

Contributor

mickeyn commented Aug 28, 2017

@daxim the download_url endpoint takes a package name -
http://fastapi.metacpan.org/v1/download_url/DBIx::Class

@oalders

This comment has been minimized.

Show comment
Hide comment
@oalders

oalders Aug 28, 2017

Member

@daxim this endpoint wasn't added to solve your use case, so there's no need to rain down criticism on the design. I was, however, interested in knowing if it allowed you to work around the issue and get what you needed. Since it doesn't, we'll leave it open.

Member

oalders commented Aug 28, 2017

@daxim this endpoint wasn't added to solve your use case, so there's no need to rain down criticism on the design. I was, however, interested in knowing if it allowed you to work around the issue and get what you needed. Since it doesn't, we'll leave it open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment