Check depends for validity

[patrickbkr]

DateTime::Timezones:ver<0.4.1> has the following line in its META6.json:

"depends": [ "Timezones::ZoneInfo:auth:<zef:guifa>:ver<0.4.1+>"],

Notice the extra : after auth. If I interpret my observations correctly, that dependency is ignored by zef without any notice.

It would be nice if fez could validate dependency specs and prevent uploads of such malformed specs.

[tony-o]

adding this to the next iteration of fez (interestingly the tgz processor for fez fixed it only for the index, which is a bug).

[tony-o]

@patrickbkr looking at this a little more closely today. i no longer think this is a bug for the reason that it's impossible to programmatically discern the intention of the author. In this case it's apparent but this example is less obvious: "depends": ["Timezones::ZoneInfo:auth<x>:ver:api<*>"].

tl;dr The <zef:guifa> in this case may just be another adverb that fez or zef don't use or care much about.

[patrickbkr]

Couldn't we instead check whether the values we do care about are sane? In the OP snippet auth should have a value, but doesn't.

[tony-o]

@patrickbkr it's a little trickier than that, let me think about how this might be done. simply hardcoding it seems like a bad idea and this might be leaning more towards full on dist manager mode, which may be the path forward for fez but i'm hesitant to take on that work without help. the other way might be peeling fez back to just a library that mi6 or some other tool can use to upload dists but this is less appealing than full on dist management.

[tony-o]

Going to add this to v48 of fez. I ended up going for the dist route with fez

[tony-o]

Okay, a fix for this is incoming with RakuAST