何时(不适合)将依赖项与应用程序捆绑在一起? [英] When is it (not) appropriate to bundle dependencies with an application?
问题描述
摘要
我最近与一个应用程序所依赖的框架的创建者进行了交谈.在交谈中,他还提到,如果我将他的框架与我的应用程序捆绑在一起,并提供给最终用户一个我知道与我的代码一致的版本,那将使我的生活变得更简单.直觉上,我一直试图避免这样做,并且,实际上,我很费力地分割自己的代码,以便可以在不占用整个项目的情况下重新分配部分代码(即使在极少的机会下,任何人都可以重用任何它).但是,在考虑了一段时间之后,我仍然无法提出一个特别好的理由为什么我这样做.实际上,考虑到这一点,我看到了一个非常有说服力的案例,可以捆绑我所有较小的依赖项.我想出了一个利弊清单,希望有人能指出我所缺少的任何东西.
I recently had a conversation with the creator of a framework that one of my applications depends on. During that conversation he mentioned as a sort of aside that it would make my life simpler if I just bundled his framework with my application and delivered to the end user a version that I knew was consistent with my code. Intuitively I have always tried to avoid doing this and, in fact, I have taken pains to segment my own code so that portions of it could be redistributed without taking the entire project (even when there was precious little chance anyone would ever reuse any of it). However, after mulling it over for some time I have not been able to come up with a particularly good reason why I do this. In fact, now that I have thought about it, I'm seeing a pretty compelling case to bundle all my smaller dependencies. I have come up with a list of pros and cons and I'm hoping someone can point out anything that I'm missing.
专业人士
- 版本一致性意味着更轻松测试和故障排除.
- 应用范围可能会更广观众,因为似乎安装的组件更少.
- 对依赖项的小调整更容易在下游制造随应用程序一起提供,而不是等他们渗入上游代码库.
缺点
- 更复杂的包装流程包括依赖项.
- 用户最终可能会获得多份副本对他们的计算机的依赖性.
- 根据bortzmeyer的回答,存在无法升级单个组件的潜在安全问题.
注释
作为参考,我的应用程序是用Python编写的,并且我所引用的依赖项是轻量级的",我所说的依赖项很小,并不常用.(因此,它们并不存在于所有机器上,甚至也不存在于所有存储库中.)当我说与应用程序打包"时,是指在我自己的源代码树下分发,而不是使用驻留在我的软件包中的脚本进行安装,因此没有任何版本冲突的机会.我也只在Linux上进行开发,因此没有Windows安装问题.
For reference, my application is written in Python and the dependencies I'm referencing are "light", by which I mean small and not in very common use. (So they do not exist on all machines or even in all repositories.) And when I say "package with" my application, I mean distribute under my own source tree, not install with a script that resides inside my package, so there would be no chance of conflicting versions. I am also developing solely on Linux so there are no Windows installation issues to worry about.
说了这么多,我也有兴趣听到关于包装依赖性这一更广泛(与语言无关)问题的想法.我缺少什么吗?还是我只是在考虑一个简单的决定而已?
All that being said, I am interested in hearing any thoughts on the broader (language-independent) issue of packaging dependencies as well. Is there something I am missing or is this an easy decision that I am just over-thinking?
附录1
值得一提的是,我对下游包装商的需求也很敏感.我希望将应用程序包装在特定于发行版的Deb或RPM中尽可能简单.
It is worth mentioning that I am also quite sensitive to the needs of downstream packagers. I would like it to be as straightforward as possible to wrap the application up in a distribution-specific Deb or RPM.
推荐答案
我赞成捆绑依赖项,如果将系统用于自动依赖项解析(即setuptools)和如果,则可以在不引入版本冲突的情况下做到这一点.您仍然必须考虑您的应用程序和受众.认真的开发人员或发烧友更可能希望使用特定(最新)版本的依赖项.打包东西可能会让他们讨厌,因为这不是他们期望的.
I favor bundling dependencies, if it's not feasible to use a system for automatic dependency resolution (i.e. setuptools), and if you can do it without introducing version conflicts. You still have to consider your application and your audience; serious developers or enthusiasts are more likely to want to work with a specific (latest) version of the dependency. Bundling stuff in may be annoying for them, since it's not what they expect.
但是,特别是对于应用程序的最终用户,我严重怀疑大多数人喜欢搜索依赖项.至于有重复的副本,我宁愿花费额外的10毫秒来下载一些额外的千字节,或者花费额外的一分钱来占用额外的磁盘空间,而不是花费超过10分钟的时间来搜索网站(这可能是关闭的)),下载,安装(如果版本不兼容可能会失败)等.
But, especially for end-users of an application, I seriously doubt most people enjoy having to search for dependencies. As far as having duplicate copies goes, I would much rather spend an extra 10 milliseconds downloading some additional kilobytes, or spend whatever fraction of a cent on the extra meg of disk space, than spend 10+ minutes searching through websites (which may be down), downloading, installing (which may fail if versions are incompatible), etc.
我不在乎磁盘上有多少个库副本,只要它们不会互相干扰即可.磁盘空间确实非常便宜.
I don't care how many copies of a library I have on my disk, as long as they don't get in each others' way. Disk space is really, really cheap.
这篇关于何时(不适合)将依赖项与应用程序捆绑在一起?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
