From: Liliana Marie Prikler <liliana.prikler@gmail.com>
To: Distopico <distopico@riseup.net>, guix-devel@gnu.org
Subject: Re: Pinned/fixed versions should be a requirement.
Date: Sun, 10 Sep 2023 01:30:12 +0200 [thread overview]
Message-ID: <4f054d0dc06d72d3e3c3d8cf368aa46ea7417552.camel@gmail.com> (raw)
In-Reply-To: <87h6o9pbbv.fsf@riseup.net>
In this thread: Rust has a broken packaging model, so let's apply that.
Am Montag, dem 04.09.2023 um 21:59 -0500 schrieb Distopico:
> Many libraries in different languages don't follow semver, which can
> lead to cases like `rust-serde-json`, which, between versions
> "1.0.97" and "1.0.98," changed its dependency from `indexmap` "1.x"
> to "2.x," causing several packages like rust-analyzer to break. I've
> also observed this in Haskell with packages like "text."
The thing here is, that cargo itself also relies on semantic
versioning. In fact, I am befuzzled as to why a dependency on
"indexmap" should affect serde-json's public API and probably so where
the serde folks. Then again, coming from the GNOME world, libsoup3
wasn't really a silent bomb either.
Btw. note to everyone reading this thread, if you ever consider
updating serde: skip versions [1.0.172, 1.0.185). Thanks :)
> This is problematic because:
>
> - Over time, it becomes more vulnerable to libraries/packages
> breaking.
>
> - It makes reproducible software more challenging, as "1.x" can
> encompass many versions.
>
> - Debugging becomes difficult since that package could be a deep
> dependency in the system package dependency chain, such as
> Rust/Haskell/NPM, etc.
>
> - It makes it more likely that if a dependency changes, many
> packages will need to be updated/rebuilt due to that change.
>
> For these reasons, I believe that pinned versions should be a
> requirement in libraries, always specifying the exact dependency, for
> example, `rust-serde-json-1.0.98`.
This goes contrary to even rust's development model that only forces
lock files onto applications and not libraries. Now, you make a good
point in that pinned versions save us some trouble, but they can also
trouble on their own. Rust dependencies are basically glorified
propagated-inputs, but with none of the `guix graph' support, so
they're both incredibly hard to detect with our current tooling *and*
they allow for two pinned versions X and Y to cause a potential
conflict. Indeed a recipe for fun times :)
I think we need to actually capture these links so that we can more
easily detect potentially critical changes to the rust ecosystem and
stick to our tried and tested recipe of "only touch these ones on
feature branches, mkay?". Do you know what goes into serde? I know I
don't. On that note, does anyone have an ETA for antioxidant?
Cheers
PS: Also consider that software written in Rust may contain bugs that
we need to patch out. Upgrading a package that adheres to SemVer as it
ought to according to Rust standards is already non-trivial enough.
Now try that along with writing a sed script to replace it in every
input. Quickly gets very annoying.
next prev parent reply other threads:[~2023-09-09 23:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-05 2:59 Pinned/fixed versions should be a requirement Distopico
2023-09-05 17:15 ` wolf
2023-09-07 12:39 ` Pinned " Simon Tournier
2023-09-07 15:35 ` Distopico
2023-09-09 10:39 ` Simon Tournier
2023-09-09 22:50 ` Pinned/fixed " Attila Lendvai
2023-09-09 23:30 ` Liliana Marie Prikler [this message]
2023-09-10 1:37 ` Distopico
2023-09-10 5:51 ` Liliana Marie Prikler
2023-09-27 7:51 ` Nguyễn Gia Phong via Development of GNU Guix and the GNU System distribution.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f054d0dc06d72d3e3c3d8cf368aa46ea7417552.camel@gmail.com \
--to=liliana.prikler@gmail.com \
--cc=distopico@riseup.net \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).