Hacker News new | past | comments | ask | show | jobs | submit login

I took a look at Ada recently and was disappointed by how they've adopted an NPM-style package management approach. This was seemingly inspired by Rust -- Ada even calls its packages "crates" -- but the "bazillion micropackages owned by Internet randos" structure these tools encourage undermines many of the security benefits of both languages.

Does anyone know if there's a way to get a modern Ada compiler toolchain (and IDE support etc) without depending on this ecosystem?




I do not know the exact rationale of the Alire devs, but Ada already uses (since 83) the word "package" to indicate a module or namespace, so calling dependencies a "crate" seems to avoid confusion with an Ada "package".

The crates of the community index [1] are somewhat vetted because they are added to the index using a PR on GitHub. You're not required to use these external crates though, you can create your own monorepo if you want.

My personal experience has been that a package manager (for any language) makes it much easier to download and build some project.

There's a decent amount of packages in the Ada standard library, but it's not up to the level of Go's. Ada has a subset called SPARK for functional specification and static verification, so you can write, and some of the crates are actually written in SPARK.

It's quite fun to write some parts of the code in SPARK and get it to prove it with the gnatprove tool (which you can get with `alr get gnatprove` and run it on your code with `alr gnatprove`).

AdaCore also has a variant of the runtime library for embedded systems that is partially proven with SPARK [2].

[1] https://github.com/alire-project/alire-index [2] https://blog.adacore.com/proving-the-correctness-of-gnat-lig...


The GNAT toolchain that Alire installs automatically is built by GitHub Actions runners from the GNAT-FSF-builds [1] repository.

You can download the toolchain as a tarball from the releases page and use it separately if you'd like. If you use Alire, it'll take care of downloading and unpacking the tarball and add it to your PATH when called via alr build.

[1] https://github.com/alire-project/GNAT-FSF-builds/releases


Nice, thanks for the tip!


Seconded, having to grab 9 crates just to get random numbers in rust is my least favorite thing about the language. As adacore and ferrous systems work on the safety critical rust (ferrocene), I'm hoping they create a vetted and well tested subset of crates.io that I can just install from a tgz.

The fine granularity of dependencies that package managers have facilitated has made air-gapped devlopment logistically very difficult. And it makes safety or security certifications impossible.


> Seconded, having to grab 9 crates just to get random numbers in rust is my least favorite thing about the language.

I've noticed that crates can often include default features I don't want or need. If you don't include the default features ('cargo add --no-default-features rand' is what I did) then the only other crate pulled in is rand_core. I've gotten into the habit of reviewing the features and only including the ones I need. I don't know if there's a better solution that could be implemented somewhere upstream but this works for me.


Thanks that is a great tip!


If you don't like rand, don't use it. Frankly, if your goal is "just to get random numbers" rand is a wrong crate. Use fastrand instead, it has zero dependencies.


> The fine granularity of dependencies that package managers have facilitated has made air-gapped devlopment logistically very difficult. And it makes safety or security certifications impossible.

Cargo has a vendor feature: https://doc.rust-lang.org/cargo/commands/cargo-vendor.html

Is there some language ecosystem that is better?


Vendoring is kind of a pain. You start with a tomlnthat has everything you think you'll need then you grab all that, run it by legal and the it team and copy it over. You find a new dependency and start again.

Before package managers you ended up with giant pseudo stdlib libraries like boost or eigen and you only needed a tiny piece but once you brought it over you had it all, and it had no sub dependencies to worry about. Monolithic was easier from a lot of standpoints. Crates.io is exactly what I'd want if I wasnttroo worried about safety or security. It is far more productive. But if you make software that other companies use to help make themselves secure, then you are wearing a bullseye these days and it is kind of your job to be paranoid about deep dependency trees.


Maven and NuGET, specially the ability to ship binary libraries (including C and C++ ones), and have internal company repos where only IT and Legal vetted libraries are made available.


Python is better. You "import random" to get random numbers.


I had similar concerns (also starting with rust). But for languages that could be used in many environments (including embedded) I think a small stdlib is good.

Perhaps there needs to be a separate low-rate-of-change set of reviewed libraries that can be used more easily without dependency explosion.


A small stdlib is good, and any crate that can, should allow for no_std. I think originally the justification for a small stdlib was so that people didn't deprecate parts of it with a better 3rd party lib. They would bring libs into std as it became obvious they were the de facto standard already. They just haven't been terribly aggressive about doing that.

I think if there was a no_std package and stdlib+ vetted and slower to change package (and available through yum or apt or a tgz instead of crates), safety and security critical applications would move towards it more quickly. It would also make air-gapped development networks easier to provision.


Funny how before Alire was a thing, people complained that there was no easy way to take other people's Ada code and add it to one's own software projects.

Now Alire exists and people complain that it's easy to add people's code into their own projects.

You don't even have to use Alire in the first place - every modern Linux distro ships with an Ada compiler - on Fedora just install gcc-gnat and off you go.


AdaCore themselves direct you to use Alire to install what used to be their community edition. You don't have to use any of the crates if you don't want to.


Can you explain please? I'm not familiar with how NPM or Rust crates work, but isn't it the same package structure as used by Python and pretty much any other language with packages? What's the difference?


This is the first time I hear about Ada package manager. You can always download GNAT, an Ada fronted for GCC, and start coding in terminal and a text editor. You don't need package manager and all of the other stuff.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: