Machine-readable versioning, dependencies, and metadata of components of the ecosystem #17
Description
We have already made good steps in documenting snapshots of the complete ecosystem in the preCICE Distribution.
A next step is to make the distribution a meta-package, so that one can:
- Download all components at once:
git clone precice-distribution && git checkout v2404.0(we could say we already do this by putting an archive on DaRUS) - Use package managers to do
<something> install precice-distribution==v2404.0.
This is mainly work on the packaging side, and the community is already packaging components of the preCICE ecosystem for different package managers.
One step further would be to make each package describe all of its dependencies in a machine-readable way. This is something we only do as documentation, in the README files, or now in very limited cases as requirements.txt files (see Nutils or FEniCS tutorials). However, not everything we do is Python-based, so we need a more general solution.
What we also need is a machine readable way that enables:
- The tutorials v2404.0 knows that it needs at least the OpenFOAM adapter v1.3.0 and the FEniCS adapter v1.2.0
- The OpenFOAM adapter knows that it needs at least preCICE v3.0.0 and OpenFOAM v1812
- The FEniCS adapter knows that is needs at least FEniCS v and Python bindings v3.0.0.0
- The Python bindings know that they need at least preCICE v3.0.0
Some checks are already in place to inform the user in some of the steps (maybe 3 and 4), but this only happens at some levels and for some packages and it only inform you if you do something wrong, not what you actually need. We could extend these checks to have them in all components.
A further step would be to have such metadata explicitly defined for all components, for example using CodeMeta. I have not yet looked into details, but this is what seems to be what the RSE community is mostly discussing at the moment. This would allow us to:
- Construct trees of package dependencies. This we could already do using various package managers (Spack, PIP, etc).
- By extension, generate complete SBOMs, which are important for organizations
- Automatically extract citation information for the components each simulation is using (we should already have CFF files in all repositories)
- Automatically perform license compatibility checks for all components (OK, I am going too far here for the current state, but to see the potential)
See also precice/precice#2004
(I thought I had already mentioned CodeMeta somewhere, but I cannot find any issue associated with it)