From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id iMi1AzAA/WT17gAAauVa8A:P1 (envelope-from ) for ; Sun, 10 Sep 2023 01:30:56 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id iMi1AzAA/WT17gAAauVa8A (envelope-from ) for ; Sun, 10 Sep 2023 01:30:56 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AB56C4344F for ; Sun, 10 Sep 2023 01:30:55 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=CEQoTqUR; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694302256; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=BCVExeFOPyoOfnf2ORL6HmtTQkQbZ3mEwqt9/n5fCt0=; b=m44pjvVHJEmbKJsF5fjLBTxW5pYgEefNeTWZGYSCXSpIT+R5Q0aB2V9iKEoJ5NxhCI85Dn tp3jpIiKh3r/W7yIXQald/30+P2rj1sDpaG3OqkXUHeiLwjZogv0LVP+TegCIl8wpyQdpT PdDlPZavSrOdySoxj/8uuJ3wfvMBYQO9VLEk3SkJIwfoB98abOk0h9HtYg0V5mtp4QeWZM ulucIOpeKy6SMaGg8JbOYMMBDVqNCJ3wJyzZuvcac/mt8CiOOn7Z/ntZ4luKEh/4E4rbY1 yGm13Rmpljqo9xbLle5CgBs/sbgmfeJdv+toRtgaSCW1S4VYnaLbkeGtbCblWg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=CEQoTqUR; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694302256; a=rsa-sha256; cv=none; b=OAHhKfEqIuFsFLpnuJ3wpYnOmkJ1EXuY+qpkmI9siGholkcJ2HSZGpiZ6E25js43FEW2fL R1s2ovtG/dced8qvTjckHvjRe/aFDF5HsOtf6Rn+3cyxDuBowDVjsq9liFYH8pWmC5/yBt Zlt/qVjZVhRAu/15SPAE4QLeBiGtSiH6LsTW+hHWdCNkyxGZyXCMjUh+EBYlPyTd8MgZ/f HBJ+eyIJ4uOVJ8toI3TgyGfQJDpgNjJI969IzPDkLBSvbd5JlpTssoOWDLs9IjuAw+fWMs Y9evpdilo0KDVPOuCztbPSH2QLIIqb7W+xTAzBPfNQyt/5dFBqC0LxZM1ebCFQ== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qf7PC-00014D-CW; Sat, 09 Sep 2023 19:30:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qf7PA-0000zT-I3 for guix-devel@gnu.org; Sat, 09 Sep 2023 19:30:20 -0400 Received: from mail-ed1-x541.google.com ([2a00:1450:4864:20::541]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qf7P7-0008HG-Na for guix-devel@gnu.org; Sat, 09 Sep 2023 19:30:20 -0400 Received: by mail-ed1-x541.google.com with SMTP id 4fb4d7f45d1cf-52bd9ddb741so4189155a12.0 for ; Sat, 09 Sep 2023 16:30:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694302214; x=1694907014; darn=gnu.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=BCVExeFOPyoOfnf2ORL6HmtTQkQbZ3mEwqt9/n5fCt0=; b=CEQoTqURx6psAiUpqhr7CkiUjgBDIWe/mDYom+mJ7dNOnfZemUPn57GmOnSY3FZHn6 wwQca5FbXUUWjKlZp0eQkGuJN1yU9MNZt+Gq6IHxTspfA0GP4u50Z0E0Ab8Zb6FPTLQx fPWgevos5s0LMwuA+Y6mK6hwDqRyzA1BPiSRUlRr8QjW5Ew5/IKSchGNv35XVvcSD1vM lH6P3RYPCPZF9tdiRcLniD/mQ644XoJPU/MBQASOLrw8gMcvCO8f+uNVNMvgBhpJSTNE feHwmMigVEjKmu3b8zRlEd5Vdu1zIgYIt5jfQ3jZlhOFF2wAsWR2wzGFxNYTFrVFW/rC 9vog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694302214; x=1694907014; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BCVExeFOPyoOfnf2ORL6HmtTQkQbZ3mEwqt9/n5fCt0=; b=iQQzCKLmopWo8CHTuhcOpIlHa92e5taS0n0omKAQ6oNakknP2GD43g6hcPoCfsbUuG IMVTIwtCrilDdzgMMaInafirFtHzlH96BHK1oHtm94gGOe4OhQJmMlmxybJRNbldtpPb rAqlv4m6WKOFjM5SDRNngmCuQ+0ndXHsBTHzLIEK8+ZHT0FcKXp6fY9+jrWqTisvFdnv PVp66pquTAg6gMDuMkbuUYs8MC2BxFQt3H8EEa1DMbzA9kr23O+TVAiNMGr7N9gt7EU5 LJFNIfa6Jx/IcDjUk05XSIQI5GYQRmv+PHYOLZnhxcBPfO+i+rvhXCzaOOG3T0cP/8vA ooxA== X-Gm-Message-State: AOJu0Yw7nrU4IrYEEr+7vnrtjlGrCrOhVA9OyeU5nRjwAsijLZ6iD4ZT OKvBFpw/PBMwmeZjNqEUo/J+IW052sn2EkVnbFg= X-Google-Smtp-Source: AGHT+IGo7cMxmieDNk+X71uVKUmhIsb3oZ1K/UiLlGGaio/9d20PuYQ7v6Gi8EefFkHHnA0oxsDZeg== X-Received: by 2002:a17:906:30ce:b0:99d:ec81:df58 with SMTP id b14-20020a17090630ce00b0099dec81df58mr5053720ejb.19.1694302214280; Sat, 09 Sep 2023 16:30:14 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id q24-20020a170906941800b0098921e1b064sm2936075ejx.181.2023.09.09.16.30.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Sep 2023 16:30:13 -0700 (PDT) Message-ID: <4f054d0dc06d72d3e3c3d8cf368aa46ea7417552.camel@gmail.com> Subject: Re: Pinned/fixed versions should be a requirement. From: Liliana Marie Prikler To: Distopico , guix-devel@gnu.org Date: Sun, 10 Sep 2023 01:30:12 +0200 In-Reply-To: <87h6o9pbbv.fsf@riseup.net> References: <87h6o9pbbv.fsf@riseup.net> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::541; envelope-from=liliana.prikler@gmail.com; helo=mail-ed1-x541.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: AB56C4344F X-Migadu-Scanner: mx1.migadu.com X-Migadu-Spam-Score: -4.43 X-Spam-Score: -4.43 X-TUID: 5e+RrWJi1cBb In this thread: Rust has a broken packaging model, so let's apply that. Am Montag, dem 04.09.2023 um 21:59 -0500 schrieb Distopico: > Many libraries in different languages don't follow semver, which can > lead to cases like `rust-serde-json`, which, between versions > "1.0.97" and "1.0.98," changed its dependency from `indexmap` "1.x" > to "2.x," causing several packages like rust-analyzer to break. I've > also observed this in Haskell with packages like "text." The thing here is, that cargo itself also relies on semantic versioning. In fact, I am befuzzled as to why a dependency on "indexmap" should affect serde-json's public API and probably so where the serde folks. Then again, coming from the GNOME world, libsoup3 wasn't really a silent bomb either. Btw. note to everyone reading this thread, if you ever consider updating serde: skip versions [1.0.172, 1.0.185). Thanks :) > This is problematic because: >=20 > =C2=A0=C2=A0=C2=A0 - Over time, it becomes more vulnerable to libraries/p= ackages > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 breaking. >=20 > =C2=A0=C2=A0=C2=A0 - It makes reproducible software more challenging, as = "1.x" can > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 encompass many versions. >=20 > =C2=A0=C2=A0=C2=A0 - Debugging becomes difficult since that package could= be a deep > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dependency in the system package dependenc= y chain, such as > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Rust/Haskell/NPM, etc. >=20 > =C2=A0=C2=A0=C2=A0 - It makes it more likely that if a dependency changes= , many > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 packages will need to be updated/rebuilt d= ue to that change. >=20 > For these reasons, I believe that pinned versions should be a > requirement in libraries, always specifying the exact dependency, for > example, `rust-serde-json-1.0.98`. This goes contrary to even rust's development model that only forces lock files onto applications and not libraries. Now, you make a good point in that pinned versions save us some trouble, but they can also trouble on their own. Rust dependencies are basically glorified propagated-inputs, but with none of the `guix graph' support, so they're both incredibly hard to detect with our current tooling *and* they allow for two pinned versions X and Y to cause a potential conflict. Indeed a recipe for fun times :) I think we need to actually capture these links so that we can more easily detect potentially critical changes to the rust ecosystem and stick to our tried and tested recipe of "only touch these ones on feature branches, mkay?". Do you know what goes into serde? I know I don't. On that note, does anyone have an ETA for antioxidant? Cheers PS: Also consider that software written in Rust may contain bugs that we need to patch out. Upgrading a package that adheres to SemVer as it ought to according to Rust standards is already non-trivial enough.=20 Now try that along with writing a sed script to replace it in every input. Quickly gets very annoying.