Subscribe
Share
Share
Embed
Do we understand how to add a package dependency after three years of creating the package index? No, we do not! We also discuss adding macro targets to Package pages, GitHub’s CodeQL analysis for Swift, and automating updating our package dependencies. Of course, we have six new package recommendations too!
Follow up
Follow up
- "Use this Package" showing an incorrect package name/identity – Issue 2451
News
- Tim Condon’s CodeQL post on the Swift Forums
- Marco Eidinger's GitHub action Swift Package Dependencies Checker
- Dependency details page – Issue 1321
Packages
Creators & Guests
What is Swift Package Indexing?
Join Dave and Sven, the creators of the Swift Package Index open-source project, as they talk about progress on the project and discuss a new set of community package recommendations every episode.
We actually got some follow up to talk about. Because we know nothing Jon Snow.
Remember we talked about extending our package usage popover last time.
I do. We were going to add a product to it and we, even better than that, we followed through
and actually did add a product clause to that use this package window. So tell me what went wrong, Sven.
Well, we talked and we even ranted about package names and all that, remember?
With the Swift prefix?
Yeah, how people should name their repository one way and then use the name inside the package as
something nice, you know, without the Swift prefix and stuff.
Well, it turns out the product clause that you need to put into your dependencies, you know,
when you have a, have a target depend on a product there, you specify the product name that you use
and you specify something called package colon is the, is the label for the, um, for the product,
thing, I said, this is the package name.
It isn't, it isn't.
We use the package name in the clause that we construct there, but it actually,
that, that actually produces a wrong product clause because what actually
needs to go in there is I think what Swift PM internally calls the package
identifier, and this is derived from the repository.
So I tried out a package which had a package name auto merge, but its repository is called
Swift-automurge. And what needs to be in that product clause is Swift-automurge.
I really, really hope that once we move to package registries, which will really have proper
package identifiers, and I think there's a scheme proposed where you have like an owner slash
package sort of scheme, which obviously then allows you to disambiguate in case,
probably common case that there will be overlap in package names. Once that's there,
that'll probably allow for better package names and still avoid clashes in names.
But currently what seems to be happening, and I vaguely recall seeing this, is that
Swift PM uses an identifier based on the repository name internally as a package ID,
and that's the thing you need to specify. And I guess that's perhaps why it's called just
"package colon" and not "package name", because it's not really the name but the identifier.
- So hold on, it's coming from the Git repository, nothing to do with the package?
- I think so. I can't think of another place where...
- Okay, wow.
As actually not Swift-automurge, it's automerge-swift is the name of the
repository and what Swift PM says needs to be.
So I tried this with just automerge as the package label there and Swift PM
package resolve says the only valid package it knows about is automerge-swift.
And the only place, the only other name, the manifest doesn't talk about
AutoMerge-Swift, if I recall correctly.
So the only other thing that has that name is the repository.
- So I'm learning about this for the first time
live on the podcast,
because I knew that there was the issue,
because you opened an issue this morning.
But this is the first I've heard of the solution.
And I think it says quite a lot that,
I mean, I would say both you and I
have a reasonably good understanding
of Swift package manager at this point,
after working on the package index for three years,
and if we get it wrong, it's too confusing.
- Well, maybe not.
(both laughing)
- So I guess are we gonna have to pass,
I suppose we have the repository name already
in our database, so this I think is fixable, isn't it?
- It is fixable, I wonder if we should,
so I'd love for the proper fix to be,
I know, so for instance, if you look in package resolved,
Um, the JSON file that gets, gets written out after you run Swift package resolve.
In there, the struct, if I recall correctly has an identifier.
So it says four packages, it has the URL and in the version two of that struct,
um, there is also an identifier.
And I, I think that's the thing I need to confirm this and I would rather try and
and grab it from there or some official source than try and guess it from the
repository name, you know, because that might change and then we have subtle breakage.
I'd really like, because also this will, this will certainly change once we move to registries,
because then I think the package format will use proper package identifiers and not, you know,
these names that we're guessing. And we should really try and have some canonical source for
what's actually used to identify what package you're looking at. And I think that'll solve
everything in the end. And I truly hope the thing that we arrive at there isn't a Swift-Dash thing,
but just a proper name that is disambiguated across projects and stuff, but is still
nice and readable and has maybe a subcomponent or just a separate name that is descriptive and
can be ambiguous because it's not the one used for identity matching, but can be the one that's
displayed elsewhere. But this thing we thought it was isn't that.
The downside is that we've already shipped and deployed the wrong version, but that's okay,
we can fix it and get it working shortly. Yeah, I think it's not a common problem.
The vast majority of the packages actually have those aligned anyway.
Of course. Yes.
It's probably we're punishing the ones that actually do the right thing, sort of.
and we should absolutely fix it. No good deed goes unpunished. That's the way it
is isn't it? There is another piece of news that we have this week which is we
shipped a new feature to visualize the number of macros that a package includes.
So we've had this data in the database for a little while now and a few weeks
ago we shipped support for searching on whether a package has macro targets and
now we have a new bullet point on the metadata section in the package page
which shows you if it has any targets and if so how many targets it has and I
already found it useful today when I was looking through package recommendations
for the podcast and I looked at this one package and the name of this package
suggested to me that it might include a macro and I instantly opened the package
page and discovered that I was wrong and it didn't have a macro in it. But that was, you know,
that saved me a whole load of digging through the package for manually
trying to figure out that information. It was nice to be able to see that
right there on the package page. So nice, yeah. That's another small but
It's an important improvement.
- Nice to have that on there and not just in the search.
- It was a little bit of a struggle to come up with an icon
to represent the concept of a macro.
The closest I could get was macro photography.
So it looks like a shutter in a camera,
but I am aware that that is stretching it a little bit.
- Yeah, it's a bit very obvious icon I'd say.
- You try and represent macro better.
I don't know maybe a puzzle piece now
that I think of it. Okay with what what
connection? Well it sort of expands and
is a piece of a larger puzzle. That makes
perfect sense doesn't it? I mean in my
head that is. I'm very happy with a
camera shutter yeah. All right well I'm too late now anyway.
Right in in other news there's something worth mentioning and that is GitHub added
CodeQL support recently and there was a really nice introductory post by Tim Condon on the
Swift forums. I saw it yeah. And what this does is it allows you to add code quality checks
that run automatically on pull requests and your main branch.
So this is something, it's really simple, I just added this
this morning to one of our repositories to try it out.
It's really just a small YAML snippet that you put into a new
workflow file in your .github/workflows directory.
And then it runs a check automatically
and I guess it checks for specific quality metrics in Swift code, common bugs and stuff like that.
And the new thing is obviously that it now supports Swift. This has been around, I think,
for other languages for quite a while. And it's new that this is supporting Swift now.
As I said, we added this to a semantic version, one of our packages.
And we'll also add a link in the show notes what this looks like. There's a little overview page
for the most recent scan to show that it's working and it's done its job and
hopefully not found anything. So that's quite nice. And another thing that GitHub
added recently is in Dependabot there's now support for Swift. Now Dependabot
also is a feature that has been around for a while for other languages which is
a tool that checks for outdated dependencies in your package.
And so if you add this to your repository, it'll go through.
And now it's supporting Swift.
It'll check if there are any Swift dependencies that are outdated
that should be updated.
We've actually had this for a while now with a different package,
and that's a GitHub action by Mako Eidinger.
It's called Swift Package Dependencies Checker,
which is also really nice.
And we'll actually keep using that tool because this tool is, uh, supports the
latest Swift version.
Now the GitHub, the Penderbot feature only supports Swift 5.9, but with our
main repository, we're using it, we're already on the Swift 5.9 beta, so we
can't actually use it there yet.
So Marco's tool is, or action is still very useful for us and is also a really
nice thing to get the same feature effectively.
So what this does, it'll open a pull request on your repository when there
are changes in your dependencies.
You can review those and then just merge it if you're happy and have
one to all your dependencies to move up to the latest version.
Yeah, it's great.
And, um, I think, I mean, there was macro script is, is really good.
Um, and we've been using it happily for months now, if not maybe a year,
something like that a long time anyway.
Um, but obviously that takes, that takes investigation. And first of all,
you have to have the, the,
the idea to research whether anyone's figured out a way to do this.
And then one thing that's really important about some company like
GitHub taking a hold of this problem is that it
raises this issue into people's kind of into the
front of people's minds. You know, there'll be a lot of press around, um,
blog posts and people talking about it and us talking about it on the
podcast and other podcasts talking about it and that kind of thing.
And half of the advantage of that is just letting people know, "Oh, if you haven't yet
done this, then this is a great thing to think about for your projects or repositories."
- Yeah, and in particular, because the onboarding is so easy, there's a couple of things you can
just do with a click of a button. And the most extensive dependency check, because it can actually
do a dependency check also beyond your major version. So it can actually alert you to a new
latest major version that you're actually not opting into. And that requires additional
configuration. But all the basic stuff is actually just a click of a button. So it's so easy to
to configure that there's really no reason not to do it.
Um, the only slight downside is that GitHub doesn't have a great history,
um, supporting the latest, um, beta versions of stuff, you know, like macros
version in particular, that runners are always a bit behind and the Swift version.
I, it doesn't support it right now, but it's also a very new feature.
So we can't judge it based on that.
Um, we'll have to see how that goes, but I suspect if you're.
tracking the latest beta version of Swift, that might not be the tool for you then in that case.
- Yeah. Although there's another way to look at that, which is that now this tool supports Swift
and more and more people would be relying on this tool. I don't think they'll go into beta versions
just yet, but it might increase the urgency of upgrading to latest release versions because
If they don't, then this tool will stop working for a certain amount of projects, and maybe that
will slightly up the priority of those upgrades a little bit. I think there's one other thing worth
mentioning here, which is part of this feature I think is actually switched on by default,
and you have to opt out rather than opting in. And that is that if there is a security
CVE raised against any Swift package, it will depend upon will automatically, without you opting
into anything, it will automatically alert you to that problem. And you can then opt in as well to
have it raise a pull request to increase the version of just that one package
outside of the global dependency update thing. Oh, that's really nice. I wasn't aware of that.
That's really cool. Yes. This whole automatic tracking and reporting is just so great because
it's the thing, if you don't think about that and set up the schedules for that, it's really easy to
just miss out on all of this. And you might have an idea to sometimes run Swift package update and
absorb that, but you know, who does that manually? It's just something you easily forget. Yeah.
Right. Another thing we might want to talk about is an upcoming feature.
I mean, not upcoming in the sense of next week or the week after, but it's something that we've been
working on for quite a while. And it got sort of pulled to the forefront again, because as part of
Dependabot, there is something in GitHub that will obviously deal with dependencies. And I think
there's also a way to see package dependencies of Swift projects. I haven't actually seen the UI,
but I saw some mention of it. I need to go back and check if it's actually in the
Git UI, but it reminded me that we had started work a while back on displaying dependencies
on the package page in the Swift package index. Now we do something already. We do show the total
dependency count of a package on the package page. And all of this is based on package resolved,
which is the file that SwiftPM writes out when it does the package resolution.
Now this dependency count is nice. It is useful, but it's also, it captures all dependencies.
that is both the transient dependencies as well as the test dependencies. And
that might not always be the thing you're looking for. And we certainly want to extend this. And
we spent some time quite a while ago to look into how to extend this, in particular to
break out the test targets so we can actually display these separately. I call them product
dependencies, which are the dependencies that your products, your package products depend on,
and the test dependencies separately, and in particular to make those dependencies navigatable
on the package page. And I think it's just worth mentioning at this point how this problem is
manifesting itself with the current implementation that we have. So if you look at a package at the
moment, you might see this package has four package dependencies. And let's say, for example,
that package uses one dependency in the actual package, and then QUIC and Nimble and maybe
another test dependency to run their tests. Seeing on a package page, this package has
four dependencies might put somebody in a frame of mind of like, oh, actually, that's quite a
quite a lot of dependencies to have for what might be a small package, but actually three of them are
only there to run the tests, which I mean, in my opinion, test dependencies are much less important
when I'm choosing a potential dependency for my project than if it were a product dependency.
And also, it's also not clear on our webpage
whether those dependencies are direct or transient.
And I think if I saw four dependencies
or three dependencies or two,
I'd assume that's two top level,
but we have no current way of showing that information.
- Yeah, and it'll be really nice
if the top level dependencies were shown, right?
And you could click through
and then if there are actually a package in the index,
it'll land on that package page.
would be really nice to have that graph traversable.
You know, obviously, if if it's not in the index, which is unlikely
because we actually add them automatically,
if we find we have a nightly job that goes through
and if a package is referenced by another package that's in the index,
it's then added to the index in the next day.
So we should actually have a fully onboarded graph of packages.
But it would be really nice to have those exposed
and make them navigatable.
So yeah, that's certainly something we want to do.
And what we did first is look at package resolve
because that's really easy to do.
And Swift PM does all the heavy lifting
of actually accounting for all those dependencies.
But the problem is--
- Actually doing the resolving.
- Yeah, that's the problem.
And there is nothing in package resolve
that will tell you afterwards what are direct dependencies,
What are transit dependencies?
What are test dependencies?
It's just a flat list of dependencies.
And that's why we have that fixed number and we can't really separate those out.
There is a way of doing that.
That's not too crazy that we spent some time, um, figuring out how to do, and,
and this is the approach we'll take.
Um, but it's maybe worth thinking of the main queries where we're
wanting to support with this.
Um, and obviously all of this is up for discussion and we actually have an issue
where we currently tracking our thoughts around this, which we linked to in the
show notes.
Um, and I think, I mean, you alluded to this, the product dependencies are really
where the meat of the matter is because those are the ones that go into your app
or your service, whatever it is.
Those are the ones that partake in your, in your, um, artifact that you're shipping.
So those are the ones that going to be impacted by CVs and the like.
Or just source code breakage, right?
If you want to assess ahead of time, how exposed am I to potential API changes
and having to deal with them, the lower the number of packages, the less likely that is.
So that's why that's important.
And this also assumes that in a pinch, right, if there's breakage due to something in test
dependencies, you can ignore those, right? If your test dependencies depend on a package
that has a change so that you can't run your tests and you really need to get out a hot fix,
I think you're going to have an argument and say, right, okay, we need to fix this. We can do some
manual testing, we get this out, and then we deal with the test dependency after the fact. That's
probably something you can get away with. If that's a product dependency, you can't.
100%.
So that's why that distinction is certainly important.
But test dependencies are still important because there's this other thing that comes up
again and again, and that's being referred to as the software bill of materials.
And that's effectively your complete attack surface to supply chain attacks.
and test dependencies do play a role there because you run stuff. You run your tests,
and anything you do in CI or locally, anything you run and any source code that goes into
impact what you run there is open to any malicious package messing with what you're running and where
you're running it. A while back, way back, there was a compromised Xcode version that got shipped
and or got, you know, people were tricked into downloading it and that impacted how you ran your
stuff. And then downstream from there are all sorts of problems, you know, like secrets being
leaked because of stuff like that. So you still want to know what your total surface is, you know,
what code are you actually pulling in across your whole package, but there's a bit of a difference
in, in importance, I guess, or, and because these supply chain chain attacks are, are
probably not targeted at an indie developer or if, if it is, you know, you're probably.
You're probably not going to be picked on it.
They're going to pick the, the big targets, the important targets.
Um, but it's certainly a good thing to have exposed and to be able to see ahead of time
what the list of packages really is, what that bill of materials really is.
And maybe the last thing that's interesting is usage tracking.
And that's how many packages depend on this package P that you're looking at.
And while that's an interesting metric, that's probably one that we can never
really produce in a useful sense, because we only see open source packages.
So any usage we would ever see in these metrics is open source
packages using this open source package.
And given that we currently track 6,000 packages and there's like, it's
millions of apps out there, right?
This is going to be dwarfed.
Like it's the number of, of actually packages using a package like alarmofire.
It's not the package that we have in index that use alarmofire that are
the actual clients of alarmofire.
The clients of alarmofire are all the apps in the app store that actually
embed that library and we have no usage stats on those.
So that is probably not really even a useful thing
to try and expose.
- Yeah, it's tragic in a way because we do have,
well, we will have a really nice set of data,
but I would say that unless we come up with a way
for people who build apps to anonymously report
what packages they are depending on in their app,
which we could do. And we don't need to go into how we could do that, but we could do that.
But I also think that, you know, even if we went down that route, there's so much work to do to get
people to adopt that, that I'm not sure we could ever trust that data. And I think it's almost a
little bit of a tragedy that we'll have a subset of this, but we won't really ever be able to do
anything useful with it.
Yeah, I think it might be really nice. And maybe that's an option if a package registry had a way
of reporting that back to us or some service, because I think there's value in that for
you, even for the clients of Alarm or Fire to report that back.
Because then on the way back, that could be reporting of CVEs.
Imagine someone is, for instance, using Swift Neo and there could be just like Dependabot,
it could be a service maybe based on the package index in combination with the registry to
report back to application authors that there's something wrong and notify them
that there's a CVE against a package that they're using.
So that might be a nice avenue to incentivize people to opt in if it's an
opt in process to this kind of reporting.
And that data is in many ways much better than a lot of the data that language,
other language indexes use.
So for example, a lot of dependency indexes
for other languages use downloads as a metric
of how popular something is.
So whenever a package is grabbed by the package manager,
they'll take up a count on the number of downloads.
And that's certainly an indicator,
but there's enough downloads
that someone trying out a package
or just testing something.
Whereas if you actually have what packages
are actually in use at build time,
that's really different information.
And I think it's probably a better indicator,
but we've got such a long road to go down
for that to be anything like useful.
And I think step one is exactly what we're planning
to do here, which is give people some information
about the dependencies of the packages
that they are considering using themselves
and not to worry about the bigger picture.
- Yeah, and I'm hopeful that we can break this down further
because it's quite a large piece.
I went through my notes this morning
to sort of recap where we left it.
And this is going to be quite complicated.
And hopefully there's some intermediate things
that we can release to make that incrementally more useful
than it is now with the total count.
- Even if it's just the case of bringing the data
in bit by bit or adding the extra bits of analysis
on the data bit by bit before we expose anything
to the user interface.
So yeah, I think it would be good to chip away at this
in smaller chunks.
It's always better to approach things that way.
- Yeah, definitely.
- Right, we've actually,
we've whitted on quite extensively today.
Let's get into some package recommendations.
Do you wanna give us the first one?
- My first one is called DataKit by Paul Kraft,
Paul Kraft, he's German, so I'm confident in the pronunciation of the name.
That's not what I got from the way you said that.
I didn't get any confidence at all.
Damn.
DataKit is a really great package.
I loved, I loved seeing this.
Um, it's a great package when you're working with custom binary data formats.
And this sort of brought me back to a time several years ago when I had to
decode a proprietary proprietary data format.
Um, and even way back further in the physics days, where we're losing, using
lots of proprietary custom data formats, because it really, every bit even counted
at the time, and this can be really fiddly, but what this package does, it
gives you a, um, result builder based DSL where you can actually specify this.
It's really nice.
It sort of looks like Swift UI layout, but for your data, you can define static data
blocks, like certain byte patterns that you want as markers.
You can then specify your values, properties, do conversions where needed.
So by values, properties, I mean, you know, like data types.
And obviously specify quite in detail ways, the bit size of them.
Use conversions where needed.
really nice. The reading and writing can be driven by different conformers to a read format
and a write format protocol. That's if you have to do different things or if you only implement a read
of a format, for instance, or you can do it jointly by conforming to a format. It's a bit like
codable, you know, that has a encodable and a decodable form protocol that you conform to.
And it also has a CRC checksum support component so you can tack this on and then
I guess in some way ensure that what you've received and decoded is actually
came across the wire and is intact still. Really nice. This whole thing works in a playground so
you can use our feature to try in a playground which I always love calling out because that's
how I actually play with packages and look at them and you can and that I would have found really
really useful working and trying to load a file, stick this in and then piece by piece try and
parse a file back out. So really nice package. DataKit by Paul Kraft. How was that for the
pronunciation, Dave? Yes, much better, much more confident, absolutely. My first package is a
package that we don't use directly, but we do use the underlying technology behind it.
So the package is called SwiftWhisper by Aaron Taylor. And it is a wrapper around a C++ library
that interacts with the Whisper AI model from, I believe it's OpenAI that produces the Whisper
model. And Whisper takes audio files and will transcribe them with quite unbelievable accuracy.
It is a remarkable library. So we use it to transcribe all of these podcasts. We run it
through an application called MacWhisper by Jordi Bruin. There's also an app called Ico, which I
which I believe is by Sindre Sohus.
And both of those use the whisper model
to take in an MP3 file or a web file
and produce a transcript.
And I mean, I'll see how it does with the,
with your pronunciation of the previous author's name
this time, but it does actually get author names
like remarkably accurately transcribed.
It's an amazing bit of software.
And so this package is a way for you to interact
with that model from a Swift application.
It doesn't come with the models included,
but it does include a link where you can download
pre-trained models, 'cause obviously the model
is a huge part of that dependency.
But yeah, it seems like a really easy way
to get either offline or even potentially
real-time translation, transcription, sorry,
into an application that you're looking at.
And the nice thing about it is that these models
can be shipped along with your app.
So it's not the kind of thing
that requires an online connection.
- Nice, yeah, I'm really surprised
about the quality of these tools
and how quickly that evolved.
Cause I recall that being quite difficult and often, you know, especially with
technical terms and names and stuff, this, this is so amazing that this actually works.
I mean, there's still cases where this doesn't work correctly, but you can see
with, with, you know, bigger models that it'll, it'll get there.
And I, even, even humans fail at this at times, right?
You misunderstand something or you have a different term in mind and are
confused about what it is.
So it's not, not surprising that this goes wrong sometimes.
And we've talked about this on the podcast in the past and this idea of,
um,
uses for AI that don't involve the AI having to come up with kind of original
thought or original data or knowledge based answers and things like that.
And this is a perfect example of that. Yes,
it might not get every single bit of transcription correct,
but it's never going to just start hallucinating or at least in our experience
it doesn't, it doesn't hallucinate. It sometimes,
It sometimes makes mistakes, but it never hallucinates.
And it's because it's that problem domain
is very well suited to this kind of AI.
- Well, sticking with the theme,
my second pick is actually very similar.
It's called Cleverbird by BT Franklin.
And it's an open API, no, it's an open AI API wrapper.
And I actually mistyped this in my notes
because I always mix these up.
Open AI API wrapper.
And it's actually the package we're using in one of our packages to generate package
descriptions. So this is a little proof of concept kind of thing that we're doing.
And I had a really interesting use case this week for these package descriptions.
I actually used our tool to generate a package description for a package
called a ZuKeyKanaKanjiConverter.
And this is a package, we'll have a link in the show notes that has a readme in Japanese.
And because the GitHub page is in English and the readme is in Japanese, the Google's page,
webpage translation or Safari's webpage translation doesn't work or it's not offered as an option.
So I couldn't really tell what this package really does,
and I wasn't sure if I might want to mention it.
So I ran this tool on this package,
and it actually gave me an English description
of the package, what it does,
and it does appear to make sense.
So that's really nice,
how these tools open up these things.
Not only does it tell you what this page is about,
at the same time, it gives you a short summary.
So I think that's a really interesting use case
these open AI or general in general and AI tools?
Um, you may or may not know this, but, um, in the work that I did on the prompt for generating the
summaries, um, I actually looked into also translating and there are lots of different
options that you can kind of get out of, um, uh, of GPT with translating or not translating. You can,
you can and it understands your wishes to summarize something and also translate it at the
same time or summarize it and keep it in the same language and there's lots of different options.
Especially with the translation, you're straying into stuff where
potential hallucination could be quite dangerous because you might not know whether if it was
translating something, you might not know whether that translation was accurate or not. But certainly
in summaries it's often operating on a very good set of initial data. But certainly that
translation, I think that actually made it into the prompt that we ended up using
in the end that it should also translate it to English.
Yeah. I recall, didn't you test it with a Chinese package or something when you wrote the prompt?
Yes, we did with Chinese. I think we tested it with both Chinese and Japanese text.
Nice. So yeah, that's so the the OpenAI wrapper, API wrapper is called Cleverbird and it's by BT Franklin.
That's good. My second package today is called Stores and it's by Omar Albeek.
And Stores is a key value store to store code of all types, but the destination of that store is
is configurable. So with the same data layer, you can store your data in user defaults on the file
system, into core data, into the keychain, and you've got the same interface to all of the
storage no matter what ultimate destination you're using. Now, obviously we've got Swift data, which
which is new this year and in beta at the moment.
And from what I've seen so far, I really like Swift data.
And I think it removes a lot of why I hesitated
to always recommend core data,
which is there's quite a lot of initial setup
and you've got to think about,
you've got to think about your storage quite carefully
before you pick a core data.
Where sometimes a plist file on a file system
a JSON file and file system might do just as good a job,
depending on what kind of data
and how much data you're looking at.
And what I quite liked about this package is that
you can almost defer that decision.
So with the same interface to the data store,
you could start with file system store
and then potentially move up to a core data store later.
Of course you are tied in
and with any data storage package,
or in fact, any package that goes in
at the root of your application,
it's a much, what's the best way to say it?
It's a much heavier dependency to take on
than something that's right at the edges
where you could easily replace it.
Once you make a decision in your data store,
you've gotta be really sure
you wanna stick with that data store.
- Yeah, that's load-bearing.
(laughing)
- It is load-bearing.
That's exactly the way to describe it, yeah.
But I quite like the idea of it,
and it looks to be fairly mature.
It's only been around for 11 months,
but it's already had 12 releases, so that's a good sign.
And it's well-documented.
The documentation is hosted on the package index,
which we know that always gives people a leg up
into getting picked on this podcast.
(laughing)
So that's Storz.
Right, my third pick is the Swift composable architecture package by Pointfree.
And the reason I want to mention it this week, and I think because I think I mentioned it before,
is that they've now made their 1.0 release. So I think that's certainly worth talking about
briefly here. We should also mention that Pointfree are sponsors of Swift package index.
But all their packages are open source and free so you know you can get a lot out of them.
They really have great packages and they have excellent documentation so
you don't need to subscribe to point free to make use of it.
This is all available and really really high quality even before 1.0 release.
I've been using the composable architecture for I think at least three years now.
Now I'm not writing a whole lot of UI apps. I think I count like four small ones over the last
four years, but they're all TCA based because I, once I learned how that works, it really resonated
with me to the extent that I, I really feel like I can't write UI apps anymore. Well, actually I
didn't, I never really felt comfortable writing UI apps before because of the way I tend to write
code which is really test based.
So I really like to test stuff and UI code is often really hard to test.
And that's perhaps the strongest argument for TCA that I can think of, at least
personally for me, is that it makes UI apps so testable and therefore manageable.
Because the thing is you might bang out an app really quick without tests, but
Where it really pays off is in the maintenance.
If you have, you know, add more features, have more releases, the bigger your test
suite, the easier that still stays and remains updating your dependencies, that
sort of stuff, all that stuff really scales much better, is easier, more easily
done if you have lots of tests and TCI really makes that possible.
Um, they have this, um, unidirectional data flow where actions modify a state
in a store and that's really the only way to modify your store and your views are really
just displays of the store. And that concept really makes it for me like really natural
and easy to work with UI because it then becomes less magical. I always struggle with UI apps
because stuff seems to be happening magically. One change, little change over here in the
would suddenly make things happen on another end.
And I never really got quite comfortable with that.
And TCA, I think is the thing that really made that click for me.
That you can test all the logic in unit tests and then have snapshot tests,
for instance, for your UI views.
So, yeah, there you go.
TCA, the composable architecture 1.0
after a long time of being in pre-release by point three.
- I think it's also worth mentioning
with Composable Architecture that they've done a great job
with obviously documenting it through their video series,
of course, but also documenting it through
actual documentation.
And they've also put together one of those Doxy tutorials,
which is an extensive,
I think it's like a four hour potential length tutorial
or something like that that I saw
that, you know, putting together a tutorial like that takes time and effort. And it's great to see
that kind of effort going into an open source package like this. Yeah, the other thing I really
want to call out is, you might think, well, 1.0, I'm going to wait for 1.1. The way they've dealt
with version changes, even leading up to 1.0, I don't recall a time when there was a breakage.
They always had releases with deprecation warnings and then the most detailed adoption
documentation.
You're like, when you adopt the new version and you get deprecation warnings, you need
to do this to fix those.
Or, you know, if you jumped a few versions, you could see, all right, I need to do this
and this to fix my compile errors because you skipped over the deprecation version,
ended up on the new version.
It's been, I've picked up apps that I'd written
three years ago and went through,
and it has always been really, really hassle-free
to move along, and I'd say this is a safe library to adopt
if you're concerned about breaking changes.
It's really amazing the way they've dealt with this.
- Although to use your phrase before,
this is very much a load-bearing library.
- It is, yes.
You have to be, you have to buy into the concept.
This is not something you'll pick up in one evening, I guess, unless you're
perhaps comfortable or you know React Native, which is I think very similar.
Or I think Elm also has this unidirectional data flow concept.
It's certainly different.
It's quite, and it is an architecture.
It's like an honest architecture that you need to adopt in your app.
It's not something you should do lightly.
Having said that, I do believe it's something you can adopt partially.
So, um, this might be something to look into.
I do believe you can do this in, you know, in a, in a screen or two in your app and
I see how it goes and take it from there.
So you don't need to onboard your whole thing into this, but it's certainly easier
to get to start out with this in a, in a new app or a smaller app to, to see how it
goes and that goes to Dave's point that there's a really, really good tutorial and extensive
tutorial. So there's lots of stuff there to get started with it and see if that's something
for you.
That's great. My last package is not this week a cleverly or amusingly named package,
It is an amusing content to this package.
The package is brand new, five days old,
and it's called Swift NRC by Joe Hinkle.
And I'm not entirely sure,
I may be misrepresenting this package terribly
in saying that it's kind of a music content,
but it's the description of this package is,
Swift objects without reference counting.
Do you ever wish you could go back
to manual memory management and Swift
is the kind of language that just does not let you do that?
Well, Swift NRC is here to help.
It's effectively a package with a macro inside it,
which allows you to use the unsafe pointers of Swift
in a slightly more,
is they wrap up the unsafe pointers
to allow you to do your own memory management.
I don't think you should use this package.
I think this package demonstrates
some interesting things with macros.
I don't think we should go back
to manual memory management,
although there are potentially uses
that may be performance or something like that.
Although even then, I'd be really surprised
if going back to pre-arc days was ever a good idea.
But I did, it did make me smile.
It did make me, it's an interesting little package
and I thought it was worth a mention.
- Very nice.
- But please don't use it.
Right, and with that, I think we should call it,
and we will be back in two weeks
with more package recommendations
and potentially an update on dependencies
potentially a fixed version of our use this package popover. Great, see you in two weeks.
So until then I will see you in a couple of weeks. Bye bye. Bye.