Github is great, they're working on some serious problems, and every service has downtime.
But this is getting pretty serious.
This is the 3rd time in these last few weeks there has been a "significant service outage"
So much of a typical dev workflow is based around github, but more importantly a lot of new package managers use github as a base. Not being able to pull dependencies is a fairly big problem.
I will continue to use github, because they're awesome. At the same time, we're going to have to start building around it to ensure our uptime isn't reliant on their (less than optimal) uptime.
I've found it somewhat odd how, although advocating the use of a decentralized version control system, much of the git community has ended up heavily centralized on GitHub.
Yup, when github barfs, you can still happily keep on hacking.
You're also not limited to one shared repo by any means, so even synchronization between multiple developers can continue when github is down. To avoid problems it's of course a good idea when one of the repos is a "master", and if using a secondary repo for synchronization when the master is down, you'll probably want to switch to unique temporary branches for the purpose.
Another possible backup is any host on the internet. Seriously, dump it into a static file directory on any old web server or run a trivial git server. Send deltas with patch files. It's not even harder than github is, just uglier.
If you want to use your own servers, Atlassian (who own Bitbucket) recently released Stash, a competitor to Github Enterprise. Pricing is very good and if you have a commercial license, you also get the source code.
perhaps there maybe a way to somehow sync-up github w/ bitbucket to act as a single master origin. so we can use either or and they'll be synchronized automatically. or some company that can just act as a mirror to github would be great.
So setup 1 small git server that mirrors your most critical repositories which devs can failover to in the event GitHub is down _exactly_ when you need to integrate changes.
I wouldn't call this "building around" GitHub. Git's nature promotes this kind of thing.
This is what I think may be their biggest problem. Because of the outages, and due to my own stupidity, I have been caught with my pants down twice because Github was always just up. And then I thought, well, lesson learned, they won't go down again, and ker-pow (I'm stupid like that).
So I have had to create a secondary remote, and for private projects, it's really easy to do so. Which is kinda problematic, because those are the accounts that keep the lights on for Github. If I have to cut budget, it's a lot more likely now that I would consider cutting the private repos.
I just hope they figure this out soon, so I can forget about how easy it was.
The beauty of decentralized version control is a node going down doesn't kill your workflow. In a pinch, you could use git bundle to exchange commits with other developers:
Yeah, don't do that. As a scala/maven guy it kills me to see all these package managers making the same mistakes we already solved, over and over again.
Because it's tying you to an unreliable third-party service, and there's no way to mitigate it. Artifact dependencies really shouldn't be in the same place as source, they fulfil different roles.
What you want is a dedicated repository format. Libraries can still be hosted by whoever maintains them on their own repository (which can be their own piece of software as long as it follows the standards), or in the community central repository. But either way, if you depend on those libraries and want to lower your risks, it's trivial to set up a local mirror and make sure all your third party dependencies come in via this mirror. That way if their repository goes down temporarily or permanently it's no problem, and you ensure your builds remain reproducible.
The most infuriating part is, the software to do this already exists. If you want to start a new language, great. But please, use maven; otherwise you are doomed to re-invent it, poorly.
Because it's tying you to an unreliable third-party service, and there's no way to mitigate it.
> Sure GitHub has been having some problems recently, but they are all-in-all massively reliable.
> Artifact dependencies really shouldn't be in the same place as source, they fulfil different roles.
Seems like a dogmatic point - why is this advantageous?
More importantly, there is a reason people do this - they want a zero-effort way to use certain branches, tags, etc. They want source.
>What you want is a dedicated repository format.
Again, seems dogmatic. What advantage does one format have over the other.
> in the community central repository
and now we have single point of failure again, but I also have to wait for someone to either upload, or set up an automated solution to upload, the version I want. There's a reason people use the source for this.
> it's trivial to set up a local mirror and make sure all your third party dependencies come in via this mirror
Nightmare. We actually do do this - we maintain a nexus instance on EC2. Its a fairly awful experience. We wouldn't use it if there was a way in leiningen to use git, and if maven wasn't so slow at getting dependencies.
> That way if their repository goes down temporarily or permanently it's no problem, and you ensure your builds remain reproducible.
Definitely a real problem. But there are real tradeoffs here.
> The most infuriating part is, the software to do this already exists. If you want to start a new language, great. But please, use maven; otherwise you are doomed to re-invent it, poorly.
I use maven on a daily basis. Its not great to be honest, and comes with a massive amount of baggage, including the SNAPSHOT stuff which is awful, and a lot of things tied to java. Rubygems are a significantly better experience, are a lot more usable, and have some really good features like being able to use Github links :)
> Sure GitHub has been having some problems recently, but they are all-in-all massively reliable.
Meh. They've been down more often and for longer than my local nexus. Sometimes it's worth depending on a third-party service, if the benefits outweigh the cost - but there certainly is a cost.
>I also have to wait for someone to either upload, or set up an automated solution to upload, the version I want.
This should be cheap and easy; I think a lot of people misunderstand the point of maven releases - they're not meant to correspond 1:1 to your public "releases", they're for any case where you need a stable, reproducible build.
And do you really want to depend on some random development revision of a given library? Maybe there's a different community norm for Ruby, but if you tried that on one of my projects odds are it wouldn't even compile.
>Nightmare. We actually do do this - we maintain a nexus instance on EC2. Its a fairly awful experience.
Really? My experience is that Nexus is one of the simplest things to run that there is - just run the jar and... yeah, that's pretty much it. What problems have you had? (It's not that I don't believe you, I'm just surprised, and maybe they're things I should be watching out for myself).
>the SNAPSHOT stuff which is awful, and a lot of things tied to java.
It is quite tied to Java (I use it with pure scala but I guess that's similar). What's wrong with the approach to SNAPSHOTs?
Agreed, but don't pretend there isn't a cost to maven. You need to maintain your own nexus server. You rely on others to do things which - though "cheap and easy" - are not going to be done by 99% of people out there.
> do you really want to depend on some random development revision of a given library
You can also depend on a particular branch or tag, which people already do. Now adding a tag in git is equivalent to publishing a versioned library! Magic!
> My experience is that Nexus is one of the simplest things to run that there is
I find the software complex and difficult to use. All I want to do is use my own jar with my own project, and I have to wade through an unintuitive, difficult to use, edge-case ridden web app that I have to maintain myself? Honestly, this has been the worse part of my clojure experience (learning emacs was less painful and more rewarding).
> What's wrong with the approach to SNAPSHOTs
Maven - if I understand this correctly and I would not be surprised if there was some arcana which prevents me from doing so - expects each version to immutable. So when SNAPSHOTs change, I end up deleting my .m2 directory to figure it out.
But even if this were somehow good, why would people use maven for Ruby? They're different languages, ecosystems, etc. It doesn't even make any sense.
You don't need to maintain your own if you don't want to; you can fetch from remote repositories (and unless you're using something esoteric you only need to use one, all major libraries are in central).
>You rely on others to do things which - though "cheap and easy" - are not going to be done by 99% of people out there.
It takes the whole community committing to it, but 99% of Java people will make maven releases for any build they intend for public consumption.
>You can also depend on a particular branch or tag, which people already do. Now adding a tag in git is equivalent to publishing a versioned library! Magic!
Few things in software are worse than magic. I guess I'm advocating a little friction here, just for the sake of safety; it works better if people take make an easy but explicit choice that some builds are for others to use and some builds are not. Again I guess that's a matter of community norms.
>I find the software complex and difficult to use. All I want to do is use my own jar with my own project, and I have to wade through an unintuitive, difficult to use, edge-case ridden web app that I have to maintain myself?
Like with hosting or version control or anything, you will probably want to host your own sooner or later, but you can start off by using someone else's. And FWIW I have an opposite view on the UI, though without concrete examples there's probably no point talking further.
>Maven - if I understand this correctly and I would not be surprised if there was some arcana which prevents me from doing so - expects each version to immutable. So when SNAPSHOTs change, I end up deleting my .m2 directory to figure it out.
I don't know what you were doing wrong, but that's not a normal problem. When you build something that depends on a snapshot maven will by default refetch it if it hasn't for a certain time; if you use -U it will always refetch it, if you're using offline mode it will always use your local copy.
>But even if this were somehow good, why would people use maven for Ruby? They're different languages, ecosystems, etc. It doesn't even make any sense.
Maven is very flexible and plugin-based, and a lot of things e.g. the repository, the release process, various plugins could work the same. Obviously it would only work if a whole language ecosystem adopted it, it's probably too late for Ruby.
I'm not 100% positive on the specifics, but I've never seen it used. I suspect its not possible.
(context: I make https://circleci.com - a continuous integration company for web apps, often Rails. We occasionally get support requests that allow/ask us to look at Gemfiles, so I've seen an above average number of Gemfiles. However, I more often see the stdout of the `bundle install` command, which shows GitHub being accessed).
You can also specify multiple gem sources (http://gembundler.com/v1.2/gemfile.html), but usually only rubygems.org is used unless you need a private geù repository.
Yeah the question is, can you specify to grab rails from github with a fallback if it is not up? So the same system it seems to be using with multiple gem sources but on a gem by gem basis like you would do with a github repo.
Many other companies are able to implement web services without the reliability issues GitHub has experienced. As your parent poster explained, some unreliability is always tolerable, but GitHub is starting to cross that threshold. Your list of fallacies does nothing to address that very real complaint.
But this is getting pretty serious.
This is the 3rd time in these last few weeks there has been a "significant service outage"
So much of a typical dev workflow is based around github, but more importantly a lot of new package managers use github as a base. Not being able to pull dependencies is a fairly big problem.
I will continue to use github, because they're awesome. At the same time, we're going to have to start building around it to ensure our uptime isn't reliant on their (less than optimal) uptime.