From: Distopico <distopico@riseup.net>
To: guix-devel@gnu.org
Subject: Pinned/fixed versions should be a requirement.
Date: Mon, 04 Sep 2023 21:59:47 -0500 [thread overview]
Message-ID: <87h6o9pbbv.fsf@riseup.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 2112 bytes --]
In my experience using Guix and attempting to make contributions, I've
noticed that the vast majority of times when a library breaks, it's
because one of its dependencies changed version. For instance,
referencing something like `rust-my-lib-1`, where "1" refers to the
semver "1.x" of the package, e.g., "1.0.32", and `rust-foo` depends on
`rust-my-lib == 1.0.32`. However, in some other package got updated to
"1.0.34" so `rust-foo` will break. I've seen this happen a lot with
Haskell and Rust libraries.
Many libraries in different languages don't follow semver, which can
lead to cases like `rust-serde-json`, which, between versions "1.0.97"
and "1.0.98," changed its dependency from `indexmap` "1.x" to "2.x,"
causing several packages like rust-analyzer to break. I've also observed
this in Haskell with packages like "text."
This is problematic because:
- Over time, it becomes more vulnerable to libraries/packages
breaking.
- It makes reproducible software more challenging, as "1.x" can
encompass many versions.
- Debugging becomes difficult since that package could be a deep
dependency in the system package dependency chain, such as
Rust/Haskell/NPM, etc.
- It makes it more likely that if a dependency changes, many
packages will need to be updated/rebuilt due to that change.
For these reasons, I believe that pinned versions should be a
requirement in libraries, always specifying the exact dependency, for
example, `rust-serde-json-1.0.98`.
This brings the following benefits:
- Fewer packages will be prone to rebuilding when changing the
definition of a library.
- Reduced likelihood of libraries/packages breaking.
- Easier maintenance of packages and libraries without fear of
breaking others or having to update many.
There could be some potential disadvantages:
- The list of library versions may grow larger, making it harder to
detect orphaned or unused versions.
Additionally, I believe that a command to list the dependency tree of a
package would be ideal for easier debugging.
Regards!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 515 bytes --]
next reply other threads:[~2023-09-05 3:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-05 2:59 Distopico [this message]
2023-09-05 17:15 ` Pinned/fixed versions should be a requirement wolf
2023-09-07 12:39 ` Pinned " Simon Tournier
2023-09-07 15:35 ` Distopico
2023-09-09 10:39 ` Simon Tournier
2023-09-09 22:50 ` Pinned/fixed " Attila Lendvai
2023-09-09 23:30 ` Liliana Marie Prikler
2023-09-10 1:37 ` Distopico
2023-09-10 5:51 ` Liliana Marie Prikler
2023-09-27 7:51 ` Nguyễn Gia Phong via Development of GNU Guix and the GNU System distribution.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h6o9pbbv.fsf@riseup.net \
--to=distopico@riseup.net \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).