Vincent Parrett

I care about whether the community can contribute to it or not. The number of delphi developers who consume open source projects AND are willing to contribute to those projects is very small - when you filter those developers who have Go skills the the number would be vanishingly small. For me though the issue with Boss is the complete lack of discoverability - you have to know a package exists to be able to use it, how do I find the available packages for Boss? With dpm and other package managers that have a public repository (eg. nuget, npm, cargo) that is easy - and dpm presents that list of available packages in the IDE (searchable).

I have looked at Boss in the past, I found it odd that it's written in Go and not Delphi. It lacks any means of discovering packages, at least I wasn't able to figure that out?

Accepted, moving on. Did you mean Web of trust - like OpenPGP? https://en.wikipedia.org/wiki/Web_of_trust - I can't imagine how that would work practically in a world wide scenario - we certainly wouldn't be meeting to present our public keys 🤔 In any event, it seems unnecessarily complex when simpler solutions to SPOF exist. Yes, and DPM is absolutely architected to facilitate that (see the second screenshot above). Yep - the source for the DPM website/server is here https://github.com/DelphiPackageManager/DPMGallery (f-react-ui branch) - and it would not be difficult to build/install onsite (though not documented yet). The rest api surface is relatively small (and still evolving) so it's quite conceivable someone could re-implement the server however they like - for example adding authenticated access for downloading packages. The package storage mechanism is abstracted with multiple implementations (Google, Amazon, Bunny.net and FileSystem) so you can choose where the actual package files live. I originally used S3 but that was expensive so moved to bunny.net which at the moment is only costing me $1 per month!

Contructive critique is fine, sarcastic comments like "fixed it for you" is not at all helpful and frankly annoying. I have blogged, posted here and on other forums numerous times, created an RFC repo on github for feedback - but very little input was received and there no proposed distributed designs with any detail (let's use github and all our problems will be solved 🙄). I have been researching package managers for a long time. None are perfect, and dpm certainly isn't nore will it ever be, but it's a lot better than what we have now - getit is really not of any use (other than for installing delphi). I looked at the package managers for most of the major language/tool eco systems out there - and took ideas from all of them. None of the package managers I looked at are distrubuted - can you point to any that are? Distributed sound cool and all - but how do you ensure a) that the package has not been modified by anyone other than the author (Integrity) b) the package is actually from the author (Authenticity) c) that the package actually comes from where it says it does (Provenance). It's difficult enough to do with a central package server, doing so in a distrubuted system would be next to impossible (who is the source of the truth?). DPM does allow you to configure multiple package sources (as to most other package managers) - so you can easily download the package files (or just copy them from the package cache) to a network share and point dpm at that - in fact in some corporate enviroments this would be the only allowed scenario (I have seen this quite a bit with nuget) to avoid supply chain attacks and license issues.

🙄 I'm actively trying to get something going here that is better than what embarcadero will ever offer, what are you doing (apart from picking holes) 🤷‍♂️ Unlike embarcadero, I'm not running on old extremely difficult to fix hardware - it's a virtual machine (proxmox) and backed up regularly. The plan is eventually to move it to a cloud service which could provide the redundancy needed - gotta start somewhere.

It is possible to mitigate these attacks with signed packages and package signature verification. https://github.com/DelphiPackageManager/DPM/issues/19 https://github.com/NuGet/Home/wiki/Package-Signatures-Technical-Details Ideally a package would be signed by both the developer's certificate and the package servers's (in the case of a public repository). Nuget uses code signing certifcates, which is still a problem open source developers - they cost money and are next to impossible to get as individuals. You could also run your own package server in house and scrutinize each package uploaded before making it available to users. DPM's server does an av scan using clamav - I would like to use something more robust like virustotal but they have limits that cost $$ to increase to practical levels.

Ok, then my fallback answer for everything is 42 Antivirus - some av systems still do weird sh1t even when "disabled". Try adding explicit exclusions for your output folder for live. Also, it's still worth checking folder permissions, perhaps windows updates changed something. Where is the output folder?

Is your machine on an active directory domain? If so it's possible a group policy was applied that changed your permissions. Have a look at the permissions on the output folder.

I wasn't going to bring it up in this thread.. but since you opened the door... I've been working on one for a while now https://delphi.dev - but it's a big project for one person and I have a business to run and a family. Docs - https://docs.delphi.dev/ Source https://github.com/DelphiPackageManager Installer - https://github.com/DelphiPackageManager/DPM/releases (codesigned by VSoft Technologies Pty Ltd). It is working well, but I have yet to implement loading design time packages - the reason for that is a lack of spare time. I did redo the IDE user interface a while back and that part is much easier to use than before (modelled on Jetbrain's Rider nuget support) - I use it daily. DPM supports Delphi XE2 - 12.0 - which should make upgrading to newer delphi versions easy - if the packages you use are available for the newer version of delphi, just open your project in that new version (with dpm installed) and dpm will automatically download and install the packages required for the project (and update search paths accordingly). Packages can be hosted by a package server, or a directory (ie network file share). The website is also a package server - that part is working well, however the ui needs a lot more work so that users can create api keys for pubishing packages. Right now the only packages there are ones I forked and published. The website is an asp.net 8.0 application (because I have a lot of experience with it) with a react front end, using a postgresql db - running on ubuntu server on a vm on one of my servers in Sydney - not ideal for latency for the rest of the world - it is behind cloudfare but api routes are excluded (cloudfare does help as a cdn for the images and javascript). If interest in/usage of the server actually took off I would move it to a cloud host in the US to improve latency (that would require some funding). The actual package files are on a cdn (bunny.net) and are regionally cached, so once someone near you has downloaded a package it is cached on their edge and its fast to download. Right now that's not costing me much but if usage ramps up it would. I went with bunny.net purely because of pricing - but apart from the stupid name it's actually a pretty good service. Recently someone (thanks @Geoffrey Smith ) contributed a tool for creating dpm package definition files (json) and we have been working on that together (it's installed by default now). Geoff created this tool to ease creating package definitions for some commercial libraires he is using. I would love to see more interest in the project and welcome contributions.

No idea, I'm not from there.

https://www.ideracorp.com/brands No idea about the ownership structure

FYI, this forum is not owned or run by embarcadero.

Yep, I'm too lazy to type all those 1's and 0's - life's too short for that!

Thanks for taking the feedback on board. Some comments 1) Move the Readme to the root folder of the repo, that way it shows on github when you vist the repo. 2) Change the Netformat to Source or Src 3) Move the .groupproj to the Source folder. This is probably personal taste, but FStr might be confusing in Delphi code - especially for those coming to a code base and not being familiar with this library - since F is typically used to prefix class Fields. I understand why making it short is attractive.

Nice! I love seeing people think outside the box. I use string interpolation a lot in c# and I really dislike using Format in delphi. Some suggestions 1) Unit Tests - using DUnitX - not just a test application. 2) Prefix the Netformat.pas name with a namespace, eg VoSs2o0o.NetFormat.pas - this will avoid the chance that the unit name conflicts with other libraries ( the unit name is a bit generic). 3) TStr is not a great name for this, perhaps TFormatStr or TStringFormat or something like that would be more descriptive. 4) Restructure the repo to be more organised - see https://www.finalbuilder.com/resources/blogs/advice-for-delphi-library-authors 5) Hex format would be useful. Anyway, Kudos on a great idea.

Confluence is an abomination - full of security holes, new CVE's every week. Our instance has been hacked twice - both times by bitcoin minors, requiring us to build a new vm and restore from backup. We're close to completing our migration away from it thankfully. I'm not sure that Jira JSM is the right way to go, given that Embarcadero doesn't really do support 🤦‍♂️

Depending on what features you need and Delphi version you need, this might work for you https://github.com/VSoftTechnologies/VSoft.HttpClient (has a dependency on https://github.com/VSoftTechnologies/VSoft.CancellationToken).

No that would be pointless - restore from backup onto temp server.

We had the same issue last year, ordered a server in July, turned up in November. At least in our case, this was an upgrade not an emergency replacement. I have to agree - how hard is it to spin up a tempory vm on a cloud service - I suspect there is more to the story but we will probably never know.

Just clone the repo from bitbucket (with git) and use that.

Not sure what changes were made to parts other than Collections and Container - perhaps @Stefan Glienke can chime in here.

Just download v2, change your library/search paths and see what happens when you compile 😉

I guess it depends which features you are using, I did this a while back and only hit a few minor issues. I was mosly using the collections (and the IEnumerable<T> linq features) and the container.

Both the VCL and FMX are both designed to operate in the main thread only, creating/updating UI elements in another thread is quite likely to cause you problems.

The cloud isn't always cheaper (been there, done that, bought new servers). To make the cloud cheaper you really need to leverage the features they provide (not just a bunch of vm's) - and that means re-architecting things (=time + more money) and it also means vendor lock in - once you leverage the cloud features it's not easy to switch providers.