Bundle Management improvements?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Bundle Management improvements?

dangerwillrobinsondanger
Hi all,

Are there any plans to have a better bundle ecosystem?
What Eclipse has is better than nothing.
What Sublime has is nice.
What Atom has is fabulous.
What TM has now is almost nothing :|

The features that stand out to me immediately are:
Github hosting
In-app searching and installing
CLI searching and installing.
Notification of outdated or deprecated bundles.
Better bundle dev tooling and docs.
Ultimately, some corporate backing wouldn't hurt.

Thoughts?



_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bundle Management improvements?

Claudia Pellegrino
Hi,

The features that stand out to me immediately are: […] CLI searching and installing.
Caskroom member here. With our recent integration into Homebrew last year, I think Homebrew now brings to the table a big part of what would be needed to manage TM bundles via CLI today.

In fact, anyone is free to create an (unofficial) Homebrew tap for TextMate bundles. A tap is just a GitHub repo, e. g. github.com/textmate/homebrew-bundles. It would contain a number of package files, which essentially point to the individual download URLs of the tmbundles.

This is what the user would do once to tap into the repo:

$ brew tap textmate/bundles
To search for plugins, you’d run:

$ brew tm search arduino
==> Exact Match
tm-arduino
To install a tmbundle, you’d run:

$ brew tm install arduino
If more than three people find this useful, I’ll be happy to piece together a small PoC.

Regards,
Claudia

_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bundle Management improvements?

dangerwillrobinsondanger
I think this would be super useful.
Especially, if there is a way to create a syncable set.

More specifically, I would like to be able to create "working sets of bundles".
Not only in TM but in other editors too, the plugin world gets out of control.
I do actually want the plugins for 10 or more different languages, but having them all installed at once doesn't always work out well.


> On Jul 3, 2017, at 22:51, Claudia Pellegrino <[hidden email]> wrote:
>
> Hi,
>
> The features that stand out to me immediately are: […] CLI searching and installing.
> Caskroom member here. With our recent integration into Homebrew last year, I think Homebrew now brings to the table a big part of what would be needed to manage TM bundles via CLI today.
>
> In fact, anyone is free to create an (unofficial) Homebrew tap for TextMate bundles. A tap is just a GitHub repo, e. g. github.com/textmate/homebrew-bundles. It would contain a number of package files, which essentially point to the individual download URLs of the tmbundles.
>
> This is what the user would do once to tap into the repo:
>
> $ brew tap textmate/bundles
> To search for plugins, you’d run:
>
> $ brew tm search arduino
> ==> Exact Match
> tm-arduino
> To install a tmbundle, you’d run:
>
> $ brew tm install arduino
> If more than three people find this useful, I’ll be happy to piece together a small PoC.
>
> Regards,
> Claudia
>
> _______________________________________________
> textmate mailing list
> [hidden email]
> http://lists.macromates.com/listinfo/textmate


_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bundle Management improvements?

ryan fitzer
In reply to this post by Claudia Pellegrino
> To install a tmbundle, you’d run:
>
> $ brew tm install arduino
> If more than three people find this useful, I’ll be happy to piece together a small PoC.

This would extremely useful. I use Homebrew for so much already. Having it for bundles would a huge benefit.

Ryan

On Jul 4, 2017, at 1:51 AM, Claudia Pellegrino <[hidden email]> wrote:

Hi,

The features that stand out to me immediately are: […] CLI searching and installing.
Caskroom member here. With our recent integration into Homebrew last year, I think Homebrew now brings to the table a big part of what would be needed to manage TM bundles via CLI today.

In fact, anyone is free to create an (unofficial) Homebrew tap for TextMate bundles. A tap is just a GitHub repo, e. g. github.com/textmate/homebrew-bundles. It would contain a number of package files, which essentially point to the individual download URLs of the tmbundles.

This is what the user would do once to tap into the repo:

$ brew tap textmate/bundles
To search for plugins, you’d run:

$ brew tm search arduino
==> Exact Match
tm-arduino
To install a tmbundle, you’d run:

$ brew tm install arduino
If more than three people find this useful, I’ll be happy to piece together a small PoC.

Regards,
Claudia

_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate

_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bundle Management improvements?

Akakie
I use Textmate and Brew. Linking them sounds good.

On Tue, Jul 4, 2017 at 11:03 AM, Ryan Fitzer <[hidden email]> wrote:
> To install a tmbundle, you’d run:
>
> $ brew tm install arduino
> If more than three people find this useful, I’ll be happy to piece together a small PoC.

This would extremely useful. I use Homebrew for so much already. Having it for bundles would a huge benefit.

Ryan

On Jul 4, 2017, at 1:51 AM, Claudia Pellegrino <[hidden email]> wrote:

Hi,

The features that stand out to me immediately are: […] CLI searching and installing.
Caskroom member here. With our recent integration into Homebrew last year, I think Homebrew now brings to the table a big part of what would be needed to manage TM bundles via CLI today.

In fact, anyone is free to create an (unofficial) Homebrew tap for TextMate bundles. A tap is just a GitHub repo, e. g. github.com/textmate/homebrew-bundles. It would contain a number of package files, which essentially point to the individual download URLs of the tmbundles.

This is what the user would do once to tap into the repo:

$ brew tap textmate/bundles
To search for plugins, you’d run:

$ brew tm search arduino
==> Exact Match
tm-arduino
To install a tmbundle, you’d run:

$ brew tm install arduino
If more than three people find this useful, I’ll be happy to piece together a small PoC.

Regards,
Claudia

_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate

_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate



_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bundle Management improvements?

dangerwillrobinsondanger
I am actually trying to avoid using homebrew.
There are lots of great things in homebrew but a few flaws are definitely the assumptions about the path and also the total lack of vetting.
Homebrew wants to own /usr/local as if nothing else is there.
Mac Ports on the other hand is a bit more careful to use an uncommon path in /opt and that is pretty valuable to me.

Many package managers do not really have strong vetting or security policies. Homebrew is one of those.
Mac Ports is also not great at that.

It would be great if there were more guarantees than just whatever is on github and visible to homebrew.

A directory of sorts to work with would be great but I feel like this is clearly a modern and missing feature, I am just not sure unmanaged homebrew github repos is the thing.
I would like to hear more before people just jump on the convenience.


On Jul 7, 2017, at 12:02, Lewis Overton <[hidden email]> wrote:

I use Textmate and Brew. Linking them sounds good.

On Tue, Jul 4, 2017 at 11:03 AM, Ryan Fitzer <[hidden email]> wrote:
> To install a tmbundle, you’d run:
>
> $ brew tm install arduino
> If more than three people find this useful, I’ll be happy to piece together a small PoC.

This would extremely useful. I use Homebrew for so much already. Having it for bundles would a huge benefit.

Ryan

On Jul 4, 2017, at 1:51 AM, Claudia Pellegrino <[hidden email]> wrote:

Hi,

The features that stand out to me immediately are: […] CLI searching and installing.
Caskroom member here. With our recent integration into Homebrew last year, I think Homebrew now brings to the table a big part of what would be needed to manage TM bundles via CLI today.

In fact, anyone is free to create an (unofficial) Homebrew tap for TextMate bundles. A tap is just a GitHub repo, e. g. github.com/textmate/homebrew-bundles. It would contain a number of package files, which essentially point to the individual download URLs of the tmbundles.

This is what the user would do once to tap into the repo:

$ brew tap textmate/bundles
To search for plugins, you’d run:

$ brew tm search arduino
==> Exact Match
tm-arduino
To install a tmbundle, you’d run:

$ brew tm install arduino
If more than three people find this useful, I’ll be happy to piece together a small PoC.

Regards,
Claudia

_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate

_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate


_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate



_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bundle Management improvements?

Josh Lubaway
Hi,

I am also interested in Bundle development from time to time.

 > The features that stand out to me immediately are:
 > Github hosting

I think almost all of the bundles are hosted on GitHub at:
https://github.com/textmate/

 > In-app searching and installing

If you open up preferences and then click on "Bundles", you can search
for and install bundles in the app!

 > Many package managers do not really have strong vetting or security
 > policies. Homebrew is one of those.

Thanks for pointing this out! I agree that in 2017 we should be taking
security seriously. I'd love to learn though, what are some good ways to
set up vetting and security policies?

When I created a Homebrew (Cask?) I actually added `sha256 :no_check` to
the definition because the Elixir bundle does not have any "releases" or
"tags" yet :( https://github.com/claui/homebrew-textmate/pull/1/files I
opened an issue asking them to create a stable release.
https://github.com/elixir-lang/elixir-tmbundle/issues/132

Can we disable the `sha256 :no_check` option, and force all packages to
reference a signed release?

Josh

On 7/7/17 7:19 PM, じょいすじょん wrote:

> I am actually trying to avoid using homebrew.
> There are lots of great things in homebrew but a few flaws are
> definitely the assumptions about the path and also the total lack of
> vetting.
> Homebrew wants to own /usr/local as if nothing else is there.
> Mac Ports on the other hand is a bit more careful to use an uncommon
> path in /opt and that is pretty valuable to me.
>
> Many package managers do not really have strong vetting or security
> policies. Homebrew is one of those.
> Mac Ports is also not great at that.
>
> It would be great if there were more guarantees than just whatever is on
> github and visible to homebrew.
>
> A directory of sorts to work with would be great but I feel like this is
> clearly a modern and missing feature, I am just not sure unmanaged
> homebrew github repos is the thing.
> I would like to hear more before people just jump on the convenience.
>
>
>> On Jul 7, 2017, at 12:02, Lewis Overton <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>> I use Textmate and Brew. Linking them sounds good.
>>
>> On Tue, Jul 4, 2017 at 11:03 AM, Ryan Fitzer <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     > To install a tmbundle, you’d run:
>>     >
>>     > $ brew tm install arduino
>>     > If more than three people find this useful, I’ll be happy to piece together a small PoC.
>>
>>     This would extremely useful. I use Homebrew for so much already.
>>     Having it for bundles would a huge benefit.
>>
>>     Ryan
>>
>>     On Jul 4, 2017, at 1:51 AM, Claudia Pellegrino
>>     <[hidden email]
>>     <mailto:[hidden email]>> wrote:
>>
>>     Hi,
>>
>>     The features that stand out to me immediately are: […] CLI
>>     searching and installing.
>>     Caskroom member here. With our recent integration into Homebrew
>>     last year, I think Homebrew now brings to the table a big part of
>>     what would be needed to manage TM bundles via CLI today.
>>
>>     In fact, anyone is free to create an (unofficial) Homebrew tap for
>>     TextMate bundles. A tap is just a GitHub repo, e. g.
>>     github.com/textmate/homebrew-bundles
>>     <http://github.com/textmate/homebrew-bundles>. It would contain a
>>     number of package files, which essentially point to the individual
>>     download URLs of the tmbundles.
>>
>>     This is what the user would do once to tap into the repo:
>>
>>     $ brew tap textmate/bundles
>>     To search for plugins, you’d run:
>>
>>     $ brew tm search arduino
>>     ==> Exact Match
>>     tm-arduino
>>     To install a tmbundle, you’d run:
>>
>>     $ brew tm install arduino
>>     If more than three people find this useful, I’ll be happy to piece
>>     together a small PoC.
>>
>>     Regards,
>>     Claudia
>>
>>     _______________________________________________
>>     textmate mailing list
>>     [hidden email] <mailto:[hidden email]>
>>     http://lists.macromates.com/listinfo/textmate
>>     <http://lists.macromates.com/listinfo/textmate>
>>
>>     _______________________________________________
>>     textmate mailing list
>>     [hidden email] <mailto:[hidden email]>
>>     http://lists.macromates.com/listinfo/textmate
>>     <http://lists.macromates.com/listinfo/textmate>
>>
>>
>>
>> _______________________________________________
>> textmate mailing list
>> [hidden email] <mailto:[hidden email]>
>> http://lists.macromates.com/listinfo/textmate
>
>
>
>
> _______________________________________________
> textmate mailing list
> [hidden email]
> http://lists.macromates.com/listinfo/textmate
>


_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bundle Management improvements?

Claudia Pellegrino
In reply to this post by dangerwillrobinsondanger
Hi,


> Homebrew wants to own /usr/local as if nothing else is there. 

That’s what Homebrew _used_ to do. These times are long gone.

(FULL DISCLOSURE for anyone who’s late to the party: Caskroom member here, with a few ties to the Homebrew project.)

I have also used MacPorts, and I see how you prefer the `/opt` approach. Homebrew has come a long way to play as nice with everyone as MacPorts does today. Homebrew now lives exclusively in `/usr/local/Homebrew`. It installs packages into `../Cellar` and `../Caskroom`, and occasionally into `/opt` if it makes more sense. Anything else in `/usr/local` is free for anyone. I believe that for a package manager, this behavior is adequately modest.

If you’re unsatisfied with the fact that Homebrew puts individual things into `/usr/local/bin` and under `/usr/local/lib`, then you might want to consider that the FHS has made them for exactly that purpose. Package managers on most Unix-ish OSes keep some stuff inside `/usr/local/bin` and `/usr/local/lib` because that’s what those directories were made for.

With `brew link`, Homebrew invites all and any software to make use of its infrastructure, such as creating and maintaining symlinks for you so your software won’t have to. That’s purely optional though; anyone is free to completely ignore Homebrew, and have their software do its thing anywhere at their own discretion, and that includes `/usr/local`.


> Many package managers do not really have strong vetting
> or security policies. Homebrew is one of those.

This is actually a quite important point you’ve made; I wish more people were aware of this!

You are mostly correct, The Homebrew project is one of those package managers for a reason. Homebrew doesn’t want to be a software discovery service. Instead, it wants Homebrew users to make their own informed decisions as to whether they want to install a particular package or not.

If `foobinator` is a known spyware, but at the same time notable and popular enough that users want a `foobinator` formula to be in Homebrew, then in Homebrew that formula be.

The bottom line for users is: Do your homework before you decide to trust a particular software, with or without Homebrew. Homebrew wants that decision to be up to you, and only you.

That said, Homebrew does have vetting processes in places. Not only does it support GnuPG signatures, it also enforces SHA256 hash verification for all formulas who include such a hash, which most formulas do. Whenever a formula needs to be updated, the tap maintainer double-checks that it still points to the same trusted upstream domain. The maintainer also downloads the payload from that trusted source, and verifies the updated SHA256 matches the downloaded file. This is not to make any guarantees that the software is safe to use. It is for you to be sure that you’re installing the exact same thing the tap maintainer has personally downloaded from an official source of the upstream package.

Speaking of trust, my impression so far is that contributors are vetted quite carefully before they are granted commit access. Even when such access is granted, the project’s GitHub repos enforce reviews before anything gets merged into master branches, which are also the branches that get released to the public. Recently, the Caskroom organization has introduced a policy that requires every maintainer to use 2FA for their GitHub account.

Of course, none of all those measures will guarantee 100 % security. Nor will any of it withstand any sufficiently sophisticated attack. But it’s enough to make me personally feel very safe using Homebrew and all its official taps. (CAUTION: as I have already stressed a number of times, the `claui/textmate` tap is NOT an official Homebrew tap, and will probably never be.)


> I am just not sure unmanaged homebrew github repos is the thing.

I can’t think of a reason for anyone to use an unmanaged tap. It absolutely needs to be properly maintained.

Until some individual or organization is going to step up and adopt the tap, or we as a community figure out that a Homebrew tap might not fit our bill at all, I’ll gladly continue to help maintain it in the meantime as my time allows. Needless to say, I’m committed to the same standards and degree of diligence as I’d expect from any maintainer of a source from which I download and install executable software.

What the repo needs most right now is more contributors and more maintainers. It needs people to add content so it becomes actually useful, and make people try it out. More maintainers means that we’d have forced reviews enabled for the entire master branch similar to the official taps, including veto rights for every maintainer. This is very important for security; as of right now, the repo is not safe to use because it requires users to trust me personally. Being a sole maintainer means nobody can guarantee that every commit, including my own, gets actually reviewed.


> I would like to hear more before people just jump on the convenience.

I fully agree, and I’m looking forward to discuss this further.


Regards,
Claudia



> ------------------------------
>  
> Message: 2
> Date: Fri, 7 Jul 2017 16:19:42 -1000
> From: ???????  
> To: TextMate users  
> Subject: [TxMt] Re: Bundle Management improvements?
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>  
> I am actually trying to avoid using homebrew.
> There are lots of great things in homebrew but a few flaws are definitely the assumptions  
> about the path and also the total lack of vetting.
> Homebrew wants to own /usr/local as if nothing else is there.
> Mac Ports on the other hand is a bit more careful to use an uncommon path in /opt and that  
> is pretty valuable to me.
>  
> Many package managers do not really have strong vetting or security policies. Homebrew  
> is one of those.
> Mac Ports is also not great at that.
>  
> It would be great if there were more guarantees than just whatever is on github and visible  
> to homebrew.
>  
> A directory of sorts to work with would be great but I feel like this is clearly a modern  
> and missing feature, I am just not sure unmanaged homebrew github repos is the thing.  
> I would like to hear more before people just jump on the convenience.
>  
>  
> > On Jul 7, 2017, at 12:02, Lewis Overton >  
> wrote:
> >
> > I use Textmate and Brew. Linking them sounds good.
> >
> > On Tue, Jul 4, 2017 at 11:03 AM, Ryan Fitzer >  
> wrote:
> > > To install a tmbundle, you?d run:
> > >
> > > $ brew tm install arduino
> > > If more than three people find this useful, I?ll be happy to piece together a small PoC.  
> >
> > This would extremely useful. I use Homebrew for so much already. Having it for bundles  
> would a huge benefit.
> >
> > Ryan
> >
> > On Jul 4, 2017, at 1:51 AM, Claudia Pellegrino >  
> wrote:
> >
> > Hi,
> >
> > The features that stand out to me immediately are: [?] CLI searching and installing.  
> > Caskroom member here. With our recent integration into Homebrew last year, I think  
> Homebrew now brings to the table a big part of what would be needed to manage TM bundles  
> via CLI today.
> >
> > In fact, anyone is free to create an (unofficial) Homebrew tap for TextMate bundles.  
> A tap is just a GitHub repo, e. g. github.com/textmate/homebrew-bundles .  
> It would contain a number of package files, which essentially point to the individual  
> download URLs of the tmbundles.
> >
> > This is what the user would do once to tap into the repo:
> >
> > $ brew tap textmate/bundles
> > To search for plugins, you?d run:
> >
> > $ brew tm search arduino
> > ==> Exact Match
> > tm-arduino
> > To install a tmbundle, you?d run:
> >
> > $ brew tm install arduino
> > If more than three people find this useful, I?ll be happy to piece together a small PoC.  
> >
> > Regards,
> > Claudia
> >
> > _______________________________________________
> > textmate mailing list
> > [hidden email]  
> > http://lists.macromates.com/listinfo/textmate 
> >
> > _______________________________________________
> > textmate mailing list
> > [hidden email]  
> > http://lists.macromates.com/listinfo/textmate 
> >
> > _______________________________________________
> > textmate mailing list
> > [hidden email]  
> > http://lists.macromates.com/listinfo/textmate 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:  
>  
> ------------------------------



_______________________________________________
textmate mailing list
[hidden email]
http://lists.macromates.com/listinfo/textmate
Loading...