tools-deps

jyn 2025-10-21T21:47:31.357449Z

this is not really clojure as such, but—i've noticed several linux distros package clojure without packaging the shell wrapper, the one that has -P and such. does anyone know why they do that? would it be possible to convince them to stop?

seancorfield 2025-10-21T22:16:42.554599Z

They really shouldn't be trying to "package" clojure at all, IMO.

🙃 1
seancorfield 2025-10-21T22:17:35.011379Z

They all get it wrong in various ways, and then there are rogue stale versions of the CLI floating around out there.

jyn 2025-10-22T00:47:56.629289Z

tell that to debian ...

practicalli-johnny 2025-10-22T11:28:24.912179Z

Clojure standard library has been packaged in Debian, along with many other Clojure community libraries. They have not yet packaged the Clojure CLI (because no one has done the work yet). This is a similar approach to every other programming language I have seen on Debian (and other Linux distributions) Given Debian is a large community, you cant ask 'Debian' to stop packaging what ever it wants. Just like you cant stop Homebrew maintainers packaging what ever they want. Or control who packages things up for Arch Linux AUR You could get involved with the Debian Clojure team, but as the tone of the post suggests tearing down the work they have done it seems more relevant to invent a time machine to jump back to 1993 and shaping the Debian project so that they do not include certain libraries (I assume there are better uses of a time machine though and you could get voted down anyway). There is nothing that forces anyone using Debian to install any of the Clojure packages. Its the individuals choice to install what ever packages they wish. There is always the option to create your own Linux distribution. There are hundreds (thousands) out there... its all open source after all.

jyn 2025-10-22T12:40:19.480819Z

i didn’t mean to imply that packaging clojure at all was bad, sorry. i was surprised that packaging the CLI was harder then packaging the libraries and assumed that it must not have been done for some ideological reason, which i should not have assumed. it sounds like you’re familiar with this space, do you what work is involved with packaging the CLI?

practicalli-johnny 2025-10-22T16:58:21.147589Z

I have debian linux since 1995 so I was curious to understand concern and if there was an opportunity contribute. I do know someone who was involved in packaging Leiningen for Debian Linux (it was the Clojure build tool they were familiar with at that time) I was surprised to see so many Clojure community libraries packaged. I am not aware if there are technical challenges in packaging the Clojure CLI, its more likely a TODO that no one had chance to do.

👍 1
practicalli-johnny 2025-10-22T17:04:53.151849Z

I would find it useful to have Clojure CLI and Leiningen packages in Debian. I run Debian Linux testing variant, so keeping up with new releases of the Clojure CLI would be more effective than remembering to run its Linux install script 🤣 (I was behind a few minor versions) I am unclear how packaging libraries is helpful, except in the case where people have no (or limited) internet cinnection

👍 1
jyn 2025-10-22T17:40:22.736099Z

yeah, I would also love to install clojure from a package manager, this came up because a friend of mine tried to use my project and build.clj broke because the system package didn’t support –P

jyn 2025-10-22T17:40:53.348189Z

which…was not a failure mode I knew existed lol

seancorfield 2025-10-22T17:43:21.408269Z

Part of the "problem" with Linux packaging of stuff like this is the "we must build everything from source" mentality -- and then, when that runs into problems, creating workarounds in that custom build process instead of working with the Clojure team to figure out the right way to do stuff. The Clojure CLI "build" is essentially bootstrapped off stuff that is already on Maven Central, but the packagers want to build all of that from source as well -- so it ends up being a much more complicated process than the real build process used for Clojure tooling.

seancorfield 2025-10-22T17:44:16.395209Z

That's part of how they get into packaging Clojure libraries (which I think is foolish, given they're already on Maven Central -- and that's how they are consumed for all Clojure devs).

practicalli-johnny 2025-10-22T17:49:56.206629Z

Yes. Its not immediately obvious how the Clojure CLI is actually built. Another thing to discover 😁

seancorfield 2025-10-22T17:52:43.670939Z

Building Clojure itself depends on Spec, and building Spec depends on Clojure -- so that's the first problem they run into I think?

jyn 2025-10-22T18:36:56.496249Z

@seancorfield when you say “bootstrapped off stuff already on Maven Central“ – do you mean that there are .class binary files on maven? or that there’s some kind of bootstrap chain going on where an earlier version compiles the later version?

seancorfield 2025-10-22T18:39:12.748879Z

The JAR files -- containing AOT-compiled code in this case -- are on Maven Central. Clojure itself depends on two other libraries. Both of those libraries depend on Clojure.

👍 1
seancorfield 2025-10-22T18:41:03.350359Z

So "building everything from source" means you need to build a version of Clojure that is "all-in-one". I don't know if there's a specific build script in the Clojure repo that can do that -- depending on the other two repos in source form?

seancorfield 2025-10-22T18:42:25.838549Z

"build from source" make sense with some languages, but not really for anything JVM-based, IMO.

jyn 2025-10-22T19:00:42.599049Z

hm, I see why this is hard, but not why it’s intrinsically hard. The way self-hosted compiled languages normally handle this is to have a “bootstrap compiler” (this corresponds to the JAR on Maven) that can compile all the libraries the compiler depends on as well as the compiler itself. Then you have a “bootstrap chain” going back to a point where the bootstrap compiler was written in a different language (in this case, presumably clojure 1.0 was in java or something like that). I don’t see what the JVM has to do with it.

jyn 2025-10-22T19:02:13.971499Z

like for instance, the way debian compiles Rustc is by using their packaged (binary) 1.86 to compile the newly released 1.87 from source

seancorfield 2025-10-22T19:02:20.886429Z

For JVM languages, Maven or Gradle/Ivy or whatever is the "package manager" and Maven Central is the "repository". Having stuff "packaged" as O/S packages makes no sense.

jyn 2025-10-22T19:02:42.193349Z

rust has its own package manager too!

jyn 2025-10-22T19:02:54.912909Z

i don’t see why maven has to be the only package manager for clojure

seancorfield 2025-10-22T19:03:13.008199Z

Then this is a fairly pointless discussion I guess.

😕 1
seancorfield 2025-10-22T19:05:17.162009Z

Over the years, I've seen so many build-from-source Linux packaging folks mess up Clojure tooling and it just seems so counter-productive. It's the build-the-world-from-source aspect that usually shoots them in the foot, since that's just not the way JVM programs get built in general.

seancorfield 2025-10-22T19:06:29.823409Z

It feels like that whole packaging world is still stuck in the C/C++ world mentality and has not caught up with how CLR / JVM stuff works and avoids so much of that repeated effort.

seancorfield 2025-10-22T19:07:55.057859Z

Anyways... I would never install Clojure from an O/S package manager so I don't really have a dog in this fight and will butt out of this thread...

jyn 2025-10-22T19:09:44.130499Z

the thing that you generally get from “build everything from source” is that you can avoid “trusting trust” attacks https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

jyn 2025-10-22T19:10:42.960859Z

when you say “duplicating effort”, what i hear is you saying that distros should trust the JAR on maven to be correct

jyn 2025-10-22T19:11:21.472399Z

but they don’t! that’s the whole point of a package distro, to have signed packages built by a single trusted party, instead of many different parties

jyn 2025-10-22T19:22:32.812129Z

anyway i should finish writing https://jyn.dev/computer-of-the-future about how to avoid every distro needing to run their own infrastructure just to avoid supply chain attacks