Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
andix 4 days ago

Lockfiles are essential for somewhat reproducible builds.

If a transient dependency (not directly referenced) updates, this might introduce different behavior. if you test a piece of software and fix some bugs, the next build shouldn't contain completely different versions of dependencies. This might introduce new bugs.

tonsky 4 days ago | parent | next [-]

> Lockfiles are essential for somewhat reproducible builds.

No they are not. Fully reproducible builds have existed without lockfiles for decades

its-summertime 4 days ago | parent | next [-]

of distros, they usually refer to an upstream by hash

https://src.fedoraproject.org/rpms/conky/blob/rawhide/f/sour...

also of flathub

https://github.com/flathub/com.belmoussaoui.ashpd.demo/blob/...

"they are not lockfiles!" is a debatable separate topic, but for a wider disconnected ecosystem of sources, you can't really rely on versions being useful for reproducibility

andix 4 days ago | parent [-]

> they usually refer to an upstream by hash

exactly the same thing as a lockfile

andix 4 days ago | parent | prev | next [-]

Sure, without package managers.

It's also not about fully reproducible builds, it's about a tradeoff to get modern package manger (npm, cargo, ...) experience and also somewhat reproducible builds.

chriswarbo 4 days ago | parent [-]

> modern package manger (npm, cargo, ...) experience

Lol, the word "modern" has truly lost all meaning. Your list of "modern package managers" seems to coincide with a list of legacy tooling I wrote four years ago! https://news.ycombinator.com/item?id=29459209

pluto_modadic 4 days ago | parent | prev [-]

...source?

show me one "decades old build" of a major project that isn't based on 1) git hashes 2) fixed semver URLs or 3) exact semver in general.

jedberg 4 days ago | parent | prev [-]

The entire article is about why this isn't the case.

andix 4 days ago | parent [-]

It suggests a way more ridiculous fix. As mentioned by other comments in detail (security patches for transient dependencies, multiple references to the same transient dependency).

yawaramin 4 days ago | parent [-]

The article and various comments in this same thread have explained why these are not real issues because the resolution process picks the version 'closest to root'.