Dependency Mapping Working Group

Also to follow up, we are aware of other solutions that analyze dep files but havenā€™t found one that analyzes a dep file and then resolves the entire dep tree to create a full mapping. If one exists, please point it my way!

The complete dependency scanning service is open source. Tidelift created Libraries.io and all the server etc is open source: https://github.com/librariesio/libraries.io. I donā€™t see any problems with licenses.

Itā€™s super awesome to see such an active discussion! Thank you, all, for showing up and sharing about this. Iā€™m also interested, but I donā€™t have a ton to add at the moment.

However, I wonder if it might be better to meet face-to-face to discuss dependency management. Iā€™m planning on setting up a Doodle Poll for next week for an initial WG meeting. If this sounds good to you all, let me know?

Should I set up a Doodle for next week?
  • Yes
  • No
  • Why not on Friday?
  • How about for January?

0 voters

Libraries.io existed before Tidelift. Tidelift founded in 2017 according to Google results, and first commits to Libraries.io codebase are dated 2014 - https://github.com/librariesio/libraries.io/graphs/contributors I see that the code was created by Andrew Nesbitt, not by Tidelift.

1 Like

Hi Joel. Thatā€™s value flow graph is just one awesome idea that yourā€™re doing. Do you have visualization tools for such technology tree already?

Itā€™s not particularly relevant but @abitrolly is right. Andrew and I joined Tidelift quickly realised our mistake and left.

What is relevant is that Bibliothecary (and Libraries.io which exposes services that you can use to do some of the work there) supports dependency parsing for ~36 package management ecosystems (I think theyā€™ve added one more since we joined) and that Tidelift are pretty much bound to continue supporting it because (as far as I know) their tooling requires those services.

Itā€™s just one route that the community could explore rather than re-developing everything.

2 Likes

It is really a pity that https://libraries.io/ is not being developed even more intensively. In theory, it is a wonderful opportunity to search the Open Source landscape in a platform-independent way. Many universities and organizations today use public self-hosted Gitlab instances. I can absolutely support this as it breaks the monopoly of GitHub, but unfortunately it is very difficult to search them with a single query. Basically, you have to visit and search for each instance individually. As a result, excellent open-source in untraceable repositories goes undetected and ā€œdiesā€ over time.

3 Likes

It seems like January may be the best option for meeting. Just in case, Iā€™ve also added slots for next week. Letā€™s see when works best:

1 Like

Thanks @abitrolly. I did not know that. Perhaps the takeover of Tidelift did not do the project much good then.

Yes, the lack of simple interface to explore projects on GitLab, sr.ht, Gitee, Pagure, SourceForge sorted by stars and popularity, leaves many good projects out of reach. Creating a search engine for those would require some standard API to count those stars and descriptions. Maintaining such engine requires a real time calculator of resources spent. Perhaps mapping and calculating such dynamic dependencies on open source services and APIs is a topic of another thread, but still the one Iā€™d like to tackle.

Excuse me if this is too forward but in preparation for any working groupā€¦work, I took the liberty of setting up a repo to capture the discussion. It also helps to contain the discussion as we go along. This could be after all an open source project. Let me know if there are any issues with this.

Thatā€™s not too forward, at all! There is no such thing as too forward for these WGs. Good work!

@joelwass @benjam @gunner and @awright - want to fill out the Doodle poll?

I am not too fond of using proprietary platform for discussing OSS matters when there is already this forum.

@abitrolly we arenā€™t a proprietary platform, we are a public benefit corporation with a mission to sustain open source, part of that is organizing community discussions around sustainability. Happy to share more if you want.

I realized after you were probably talking about GitHub :slight_smile:

I am open, I just assumed there may be some code eventually attached to the working group and that github, although proprietary, is where most developers work and we could get traction.

Yes. It was about GitHub. What is the target auditory? All developers or developers who care about open source? Do we include those who contribute to open source and ignore GitHub on purpose, because it is proprietary? How many people like that out there?

There are also people who contributed in the past, but got restricted by corporate contracts, but this already falls out into off topic.

Looks like the doodle poll results are mostly in! Man, this is hard.

@joelwass and @abitrolly - are there any ways you could make Wednesday the 6th at 2:00? I think that might be the closest time for everyone. Alternatively, Friday the 8th. Iā€™ve had some feedback from other groups that people are tired before the holidays (2020, right), and Iā€™m hoping to capitalize on the enthusiasm the new year will bring. :slight_smile:

Iā€™ll be there no matter the time! also, what timezone are you referencing?

1 Like

One day I will understand that timezones matter. EST was what I was referring to. :slight_smile: Excited you can make it.

Based on some of the responses, I think waiting on determining a location for documents is a good idea. I would love to see something actionable from this working group and personally see this having the possibility to grow into a consortium effort or open-source collaboration. I look forward to joining the call on the 6th to hear from others about what they want to get out of it.

Hope the holidays treat everyone well!

2 Likes