
qpm, a package manager for Qt / QML - bpierre
http://www.cutehacks.com/blog/2015/10/5/say-hello-to-qpm-a-package-manager-for-qtqml
======
baldfat
> qpm is a command line tool for installing and managing dependencies for your
> application. It is based around Qt's .pri file support so everything gets
> compiled into your application binary. No libraries, no plugins, no qt.conf,
> no deploying QML/JS files. Everything gets rolled into your app for easy
> deployment. The tool itself follows the same principal. It's a single static
> binary executable with no dependencies, no config files, and no environment
> variables.

This sounds great. I know the file will actually be larger but I still think
that we have the tendency to think everything should be smaller.

In Linux I think we need to deploy applications not sharing libraries past the
basic frameworks (I don't know where the line should be drawn). Everything in
a folder would make Linux just Linux and it would just work. Uninstalling an
application would be deleting a folder.

This is a platform dependent on Linux, OS X, and Windows with everything
included in a single binary.

~~~
cbd1984
When I upgrade OpenSSL, I want to upgrade one package and have everything get
the benefit. I _do not_ want _anything_ I think is secure to be insecure
because its encryption code wasn't actually upgraded.

That goes for other packages, too.

~~~
baldfat
Well how does Containers work?

~~~
Spivak
They don't -- at least they don't really do anything substantially different.
Depending on the container implementation, they either work by using the
system library, which have all the downsides of shared libraries, or they
bundle their own which have all the downsides shipping a potentially old or
insecure version that won't see updates.

------
cheez
This seems like something the qt.io guys should be taking up.

~~~
david_ar
Exactly, I've been thinking for a while that the lack of a package manager is
really holding back qml adoption.

~~~
cheez
I recently spent some time with npm. Holy fuck, that is a gorgeous piece of
shit.

It's gorgeous because it does exactly what it's supposed to do, exceptionally
well.

It's a piece of shit because every little thing you use has 3 billion
dependencies which you have to validate and verify n some manner.

~~~
Touche
> It's a piece of shit because every little thing you use has 3 billion
> dependencies which you have to validate and verify n some manner.

If you mean to prevent breakage, shrinkwrap lets you lock down dependency
versions:
[https://docs.npmjs.com/cli/shrinkwrap](https://docs.npmjs.com/cli/shrinkwrap)

If you mean something else (security?) then I'd probably just not use npm,
because as you said your dependency tree is going to be deep and reviewing all
of that code is impossible.

~~~
cheez
I think that's a consequence of its success. Every little library that anyone
thought of building is up there.

