5 comments

[ 2.7 ms ] story [ 21.3 ms ] thread
Perhaps because I'm unfamiliar with npm, I don't really understand what it's for. What exactly is "package install determinism"?
In short it just means it installs the exact same packages every time. If you write `apt install something` without an explicit version you may get a newer version depending on how recently you've updated your package manager.

Our build server got burned by this because we wrote the line `apt update` within a Docker image. We did this at the time to get the most recent version of a package. Ideally we should have locked the version there, but we weren't really thinking of it until half a year later all our builds started failing. The package inadvertently updated and had breaking changes in it. With apt-lock you don't need to manually specify, you can just install once and then every reinstall will be the same (such as in a Docker image, or a new member joins your team and you're setting up their machine).

> limitations > Written in Node.js and packaged into an executable with nexe, so it's huge. Sorry it's not written in C.

> future work > Rewrite in C or C++ to make it considerably smaller

if all it does is install via apt, record the version, and then refer to the lock file the next time it's called, why on earth would you use C?

I'd be surprised if you need more than ~50 lines of shell to do that, including help output, error handling, etc

Great point! Honestly I only started using linux back in October and my shell experience is still pretty limited, but growing.
For deb based distros at least all the tool needs to do is `apt-get install foo=x.y.z; apt-mark hold foo`