conan
nixpkgs
conan | nixpkgs | |
---|---|---|
111 | 975 | |
7,768 | 15,753 | |
1.4% | 2.8% | |
9.8 | 10.0 | |
8 days ago | 3 days ago | |
Python | Nix | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
conan
-
Are We Modules Yet?
Silly question: What's the difference between C++20 modules and https://conan.io? (Google was vague, and ChatGPT, you know, sometimes makes things up so I rather ask fellow humans...)
-
The xz attack shell script
Conan is a package manager for C/C++. See: https://conan.io/.
The way it works is that you can provide "recipes", which are Python scripts, that automate the process of collecting source code (usually from a remote Git repository, or a remote source tarball), patching it, making its dependencies and transitive dependencies available, building for specific platform and architecture (via any number of build systems), then packaging up and serving binaries. There's a lot of complexity involved.
Here are the two recipes I mentioned:
libcurl: https://github.com/conan-io/conan-center-index/blob/master/r...
OpenSSL v3: https://github.com/conan-io/conan-center-index/blob/master/r...
Now, for the sake of this thread I want to highlight three things here:
- Conan recipes are usually made by people unaffiliated with the libraries they're packaging;
- The recipes are fully Turing-complete, do a lot of work, have their own bugs - therefore they should really be treated as software comonents themselves, for the purpose of OSS clearing/supply chain verification, except as far as I know, nobody does it;
- The recipes can, and do, patch source code and build scripts. There's supporting infrastruture for this built into Conan, and of course one can also do it by brute-force search and replace. See e.g. ZLib recipe that does it both at the same time:
https://github.com/conan-io/conan-center-index/blob/7b0ac710... -- `_patch_sources` does both direct search-and-replace in source files, and applies the patches from https://github.com/conan-io/conan-center-index/tree/master/r....
Now, good luck keeping track of what's going on there.
-
My first Software Release using GitHub Release
There were various approaches recommended depending on our language and ecosystem. My classmates who developed using Node.js were recommended npm, and PyPI or poetry for Python. Since my program is written in C++, I was recommended to look into one of vcpkg or conan, but I ultimately did not use either package manager.
-
Anyone else frustrated with Conan2?
Hi u/instinkt900, Conan maintainer here. Thanks for your feedback! Please remember that we actively monitor and respond to our issue tracker on GitHub (https://github.com/conan-io/conan/issues/new/choose), we’d love to hear about your specific use cases or pain points, so that we can improve your experience and that of other users. The motivation behind most of the updates in Conan 2.0 was precisely feedback from the community, and to improve our ability to continue delivering features in the constantly changing C++ ecosystem. We can certainly do this at a quicker pace, with some exciting new features recently released and in the pipeline: package metadata, transparent backup of downloaded package sources, cache least-recently-used cleanup, etc. A lot of the big decisions that we took for Conan 2.0 were taken with consensus from expert users and contributors (https://conan.io/tribe) and https://github.com/conan-io/tribe. Some specific workflows may not have 1:1 replacements in Conan 2.0, and are likely to affect some of the “less travelled roads” of Conan 1.x, including some features that were always marked as experimental. We are happy to hear feedback so that we can best satisfy these use cases. Conan 2.0 also includes a more sophisticated API to cover cases where the built-in integrations may not satisfy users needs. For what it’s worth - we have also heard very positive feedback from users about how Conan 2.0 simplifies their workflows when compared to Conan 1.x. The C++ tooling ecosystem is fragmented and moves at different speeds, including our users. So it’s always a fine balancing act, but we don’t want to leave anyone behind! An example is Conan Center - over 90% (~1200) of all recipes have been migrated to support Conan 2.0, while still maintaining compatibility with Conan 1.x, precisely to avoid breaking users that are still on Conan 1.x.
-
OpenSSL as a git submodule?
Solution: don't use git submodules - use a package manager like Conan or vcpkg.
-
Writing a Package Manager
The closest thing we have at the moment is conan[1]. It’s a cross platform package manager that attempts to implement “toolchains”, whereby different build systems can be integrated[2]. This is a big problem with package management in C/C++, there’s no single, standardised build system that most projects use. There isn’t even a standardised compiler! So when hosting your own packages using Conan, often you need to make sure you build your application for three different compilers, for three different platforms. Sometimes (for modern MacOS) also for two different architectures each.
If you control the compiler AND build system you can get away with just one package for most cases. This true for Microsoft’s C/C++ package manager, NuGet[3]
Historically, the convention has been to use the package manager of the underlying system to install packages, as there are so many different build configurations to worry about when packaging the libraries. The other advantage of using the system package manager is that dependencies (shared libraries) that are common can be shared between many applications, saving space.
[1] https://conan.io/
-
Building libraries, when it's Not going as planned
Anyway, the problems are today starting to get fewer, as more an more adopt standard cross-platform portable build systems, a.k.a. CMake and package managers such as vcpkg or Conan. Together this will take care of building, installing, linking and using the entire dependency tree.
-
Help with Building Crypto++
Simply use a package manager: Crypto++ is available on both vcpkg and Conan.
-
Is there an easy installer for wxWidgets like there is for Qt?
If you want a specific version or provide a more integrated workflow that is easier to use across platforms and among many developers, use a package manager like vcpkg or Conan.
-
Good gui libraries for simple note taking app with sqlite database?
I do however always recommend using a package manager: vcpkg or Conan to install and integrate third party libraries (together with CMake). This normally solves all the typical problems with dependencies.
nixpkgs
-
Nix: The Breaking Point
I don't think so. The article is probably intended for the Nix community, so the author doesn't need to convince HN that something is going on. If as an outsider you are interested then you need to look into it yourself, the community has no obligation to make their internal conflicts legible to the outside world.
As an outsider myself, it certainly looks like something is going on as more than 20 Nixpkg maintainers left in a week: https://github.com/NixOS/nixpkgs/issues?q=label%3A%228.has%3...
- Maintainers Leaving
-
Air Force picks Anduril, General Atomics to develop unmanned fighter jets
https://github.com/NixOS/nixpkgs/commits?author=neon-sunset
-
Eelco Dolstra's leadership is corrosive to the Nix project
I see two signers in the top 6 displayed on https://github.com/NixOS/nixpkgs/graphs/contributors
-
3rd Edition of Programming: Principles and Practice Using C++ by Stroustrup
For a single file script, nix can make the package management quite easy: https://github.com/NixOS/nixpkgs/blob/master/doc/languages-f...
For example,
```
- NixOS/nixpkgs: There isn't a clear canonical way to refer to a specific package
-
NixOS Is Not Reproducible
Yes, Nix doesn't actually ensure that the builds are deterministic. In fact it works just fine if they aren't. There are packages in nixpkgs that aren't reproducible: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aiss...
-
The xz attack shell script
I'm not familiar with Bazel, but Nix in it's current form wouldn't have solved this attack. First of all, the standard mkDerivation function calls the same configure; make; make install process that made this attack possible. Nixpkgs regularly pulls in external resources (fetchUrl and friends) that are equally vulnerable to a poisoned release tarball. Checkout the comment on the current xz entry in nixpkgs https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/comp...
-
Debian Git Monorepo
NixOS uses a monorepo and I think everyone's love it.
I love being able to easily grep through all the packages source code and there's regularly PRs that harmonizes conventions across many packages.
Nixpkgs doesn't include the packaged software source code, so it's a lot more practical than what Debian is doing.
https://github.com/NixOS/nixpkgs
-
From xz to ibus: more questionable tarballs
In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].
[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...
[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...
What are some alternatives?
Vcpkg - C++ Library Manager for Windows, Linux, and MacOS
asdf - Extendable version manager with support for Ruby, Node.js, Elixir, Erlang & more
meson - The Meson Build System
Home Manager using Nix - Manage a user environment using Nix [maintainer=@rycee]
Ncurses - ncurses Git mirror
git-lfs - Git extension for versioning large files
Boost.Program_options - Boost.org program_options module
easyeffects - Limiter, compressor, convolver, equalizer and auto volume and many other plugins for PipeWire applications
xmake - 🔥 A cross-platform build utility based on Lua
spack - A flexible package manager that supports multiple versions, configurations, platforms, and compilers.
jarro2783/cxxopts - Lightweight C++ command line option parser
waydroid - Waydroid uses a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.