From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 6M2bJkJi92Ti1wAAauVa8A:P1 (envelope-from ) for ; Tue, 05 Sep 2023 19:15:46 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 6M2bJkJi92Ti1wAAauVa8A (envelope-from ) for ; Tue, 05 Sep 2023 19:15:46 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2AF2F468BA for ; Tue, 5 Sep 2023 19:15:46 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b=E1RLPnh2; dkim=pass header.d=wolfsden.cz header.s=mail header.b=WMyPysvm; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1693934146; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=yTg9lvem39QYDmd914PBmxH/z8BwK+rf96zCHiN4dJc=; b=RF20isOBMi1NEYUZ25qJWykY9XrRjCkyLSN+v2wvr5cCf53SwDNE+Yz2JIqqYesEmC4RDf ZiQ0rvK85oWDwYVN/PtP4steIpBxaEeiz/iz+2+IyLyN78dObdHRbet+ab/h5YBc/ZixJQ 1723j6XtZz0e+4Af7IS/ETu2d3tRV+SMlKyyXKDA9otX7S/w9ALQpa1WPx2g0l26FGo4wO VAtK+eNApBj/2F6Z9KzMFa1tZoAqJIZgCDznStUSHX8vEjzSj040FjMiXZnJiCvYsm8oPu FZ5HAYf+X8KnrCn13b8FJWVkUVT8qunY1dB0hW7+av+QUHpzwEoE16ICOdLi3Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1693934146; a=rsa-sha256; cv=none; b=F0T/sfQAC60CW4DieJXp1Xz8wPDkZnNZZFPgih75hCCGiBZnACjNUC6llFv19zoO1CHLdv RR3R0wm7gfXQtnrkeP0jvIRuEuGRU5qeio2NN11yJeqo13Z7C3cMQB4W+VrYMnciaa0FLr QujJjTWIqzxg4Sje1aSxe8E/wXiMobW/6hxA2hboFejrsxBQ9sVuN/D3WXSp/ipzhcp6Fa VU5+pq4Crvx4xpOeNzi1dRF40cQbjICwyXCMmnYjHtO2NGtBPSfLotVOJjB0h1iA0SLcC2 fgkQRkDRpKTJUT9H9xqKp/mLDwxNh+zy8Aw5eXocUNj1cikz33frFmFo+w6zLw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b=E1RLPnh2; dkim=pass header.d=wolfsden.cz header.s=mail header.b=WMyPysvm; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qdZe2-0006eA-78; Tue, 05 Sep 2023 13:15:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qdZe0-0006dc-GE for guix-devel@gnu.org; Tue, 05 Sep 2023 13:15:16 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qdZdx-0008Vi-EQ for guix-devel@gnu.org; Tue, 05 Sep 2023 13:15:16 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 394B027E65F; Tue, 5 Sep 2023 17:15:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1693934110; bh=nczrDts724Usj9fLC1PphtshADFuvHm568HaIUEeFnE=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=E1RLPnh2jL6RF/bjoN61a+i1H0WSUqw/sNfYDFdL10P3gSCS1n2HpxjMoa1FEDDTu Fxu8KYABzrLV9JDTvgnAQBGLMvIsDfEaL2KGdcgtn/m1C0lXCsGbKpLx11fHBKxrtN xuVtN59SmjZnjV1yskIAy12yiJXVW6BxGbx/35aBoz0WhfswE4upwxjO/DtKBO0Qao ch1uVpzRyTrtl34e9r5z+aeyc6dJIXUMGxPtynV1WwplwfRqW+lNqaDRMvrHYOgFzS dAkAaq8P6r18QkU71T1s9aXZUc8QZpT4exyCzc9eOqqr9Kpvd4zj9Q+7P9X+hQHXd8 6/y8xX0wH0JyUXyPf31LLLH527YXWduYmDunNW9uQ3D9vzIBMQI6skIbkvmtBq8Orb EjO4ziih7pd84oKPYqStqRUjj8slr+sFWQuK0IKKJ3AB+vcFpDxTkqtgi4HOzVAFm9 aUU5ifhOLwaqWAgNQ1YweDKGA+32WjAx21RBiiwsVU125nYthkW6jFWRCoRq/qaRZG Ct+u+ltmTEsSTU5CUbcKopsHkJ8M7vDjT/Uz5PjkXjY23OUQmepQV8+Z5ZaKFGdgi3 EP19gvfkIAnwgydNsdxCZLYiUASJz9tmKIOnOD8t3pjF2zmmj6DmyrEiuKHvAEfSxj AnVsck+iHMlNURGCalK7GJYM= Received: from localhost (unknown [193.32.127.157]) by wolfsden.cz (Postfix) with ESMTPSA id 9533027E06C; Tue, 5 Sep 2023 17:15:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1693934109; bh=nczrDts724Usj9fLC1PphtshADFuvHm568HaIUEeFnE=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=WMyPysvmfAc78X3eWt1L9C+WicQiFdDJMLQj1kZXVdejbSpsnKtLB96F5e6WURT8/ jZI1af8zCoJvIse0ACi1AT1dOPc1eXrn5RxNpNQYgdRfoG/CznW7m3vtDh3EV+NSgb d1P6J3mx+qzQrJfVfj/kxlJnJwlPHKi0QXnFVDbBHNV4Nc521pI62kjllNWnHXPpaS JoA3A+x2WcAWyeevlQL56bgPyFf99UQjnq7QR42d45AIrdrYVN7dE+yDPgjl6zDTyE iEhGhQm+gOlFsSXTzZLnx0wzeI5eN7jbm4M8r0UU9q1okLgY/Sm1AaxTqmfB/xMv6D cIuxns4D+gsl3HLQxJAkE5EDnv4JKAqNOKg684vBT19goLIRQ8jzpMiHK/zgOZOIlv HoZj7T1PuKIArO/nJruPvm4kZrpjgSvychCP6w87kHhmOdSYow7q4jdq17tMOp5irK aGv5uCV933s8MwhSg933VV4YrHET1pZZcsRYj1qk9C/6u8KQqpMBnIXakVLlZ2cJLh d73OTaf9bxXgZBQtMYTljHFesBqLh6eq3z1n6MJxqUIIlpIa+yGro3Lffz4JRIQ55r tccyKPEsOzOSoZugHThpj95ic9UyGa4w/25gEIwMIgPROTqAs9fV887H9XNIsgVDIx p6nenAWzhwaBdDtXJNuuw16o= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 421ed984; Tue, 5 Sep 2023 17:15:08 +0000 (UTC) Date: Tue, 5 Sep 2023 19:15:08 +0200 From: wolf To: Distopico Cc: guix-devel@gnu.org Subject: Re: Pinned/fixed versions should be a requirement. Message-ID: Mail-Followup-To: Distopico , guix-devel@gnu.org References: <87h6o9pbbv.fsf@riseup.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="c3zpaJe68PF0zjC/" Content-Disposition: inline In-Reply-To: <87h6o9pbbv.fsf@riseup.net> Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Spam-Score: -11.41 X-Migadu-Queue-Id: 2AF2F468BA X-Migadu-Spam-Score: -11.41 X-TUID: BF0Rb/PhWQJ4 --c3zpaJe68PF0zjC/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2023-09-04 21:59:47 -0500, Distopico wrote: >=20 > In my experience using Guix and attempting to make contributions, I've > noticed that the vast majority of times when a library breaks, it's > because one of its dependencies changed version. For instance, > referencing something like `rust-my-lib-1`, where "1" refers to the > semver "1.x" of the package, e.g., "1.0.32", and `rust-foo` depends on > `rust-my-lib =3D=3D 1.0.32`. However, in some other package got updated to > "1.0.34" so `rust-foo` will break. I've seen this happen a lot with > Haskell and Rust libraries. >=20 > Many libraries in different languages don't follow semver, which can > lead to cases like `rust-serde-json`, which, between versions "1.0.97" > and "1.0.98," changed its dependency from `indexmap` "1.x" to "2.x," > causing several packages like rust-analyzer to break. I've also observed > this in Haskell with packages like "text." >=20 > This is problematic because: >=20 > - Over time, it becomes more vulnerable to libraries/packages > breaking. >=20 > - It makes reproducible software more challenging, as "1.x" can > encompass many versions. >=20 > - Debugging becomes difficult since that package could be a deep > dependency in the system package dependency chain, such as > Rust/Haskell/NPM, etc. >=20 > - It makes it more likely that if a dependency changes, many > packages will need to be updated/rebuilt due to that change. >=20 > For these reasons, I believe that pinned versions should be a > requirement in libraries, always specifying the exact dependency, for > example, `rust-serde-json-1.0.98`. >=20 > This brings the following benefits: >=20 > - Fewer packages will be prone to rebuilding when changing the > definition of a library. >=20 > - Reduced likelihood of libraries/packages breaking. >=20 > - Easier maintenance of packages and libraries without fear of > breaking others or having to update many. >=20 > There could be some potential disadvantages: >=20 > - The list of library versions may grow larger, making it harder to > detect orphaned or unused versions. I was recently thinking about this, and I think this should be solvable by introducing a boolean flag (auto-dependency?) to the package definition sta= ting whether the package was added intentionally, or just as an auto-imported dependency. The importer (when running as -r) would set it to #t for all e= xcept the top-level package. After that we could have a clean up script that would delete all packages t= hat have this flag set to #t and are not referenced from any packages that have= the flag set to #f. That should ensure that the list of packages does get clea= ned up eventually. >=20 > Additionally, I believe that a command to list the dependency tree of a > package would be ideal for easier debugging. >=20 > Regards! W. --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. --c3zpaJe68PF0zjC/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmT3YhwACgkQL7/ufbZ/ wanv9w/+LS0tIRvfF+XwAzH9yoZ6t0hgmQL3q0ydBi418xPFkk6GgR6ISZaitkq7 FptKMfptE3y269mdm4NQnLflOacOWqn6G2mXyiSq8mk+Fp5bkthBNghcv3/X5TCf 9yCKvQJ56Hy5X/hx58OLexFXudA8NmrYV3epDkHj9AmSap/UhuivOz25wXl67P3N 84Rmegtx9ovZCDTpTWJEelN3T/OSa4AHFRqoFNtuPY5bTw40+WXpmlj6agOVbSjB seHiifEGaAnYQa6EWN6Ul4m58n6+DoqUGTpO/ZW8f7RoDVXPrGT/Zk2kWjbd7Mrh QE9UxvMiwGxUvpSxq2187opSxXahIvienzOHdT7fkDNu7fYOEFS+FA0MaxaNdWjt C5p1ZQ07RdPXvHgG81y9EekJvtz17Mc7TTFPd662bdulUoaUbvt8EeQ+uEv46/Rl KjyZF8zgo9MlGVYJw5PNNSZAK74nS4a9GufHeyxngaJHOHCY4fwfk1PeAhz5nGy1 V/NtSzx0Sem57TNxKamW/MFP2mLadWbLLFA1/UdKp8IvaJj3xZR8rxAv/j2LZvL3 XzhIKFWPf6d/Epf4x4jBCTXdZHeuQQ9XSix/PbsXZs+VVxBfaJIn5ndO4Cc1DSXp nSz97JANZUNWuhiKRGPtlD5YPAcSKjBIDvA2RX9vU5G65QXe8BE= =5Dih -----END PGP SIGNATURE----- --c3zpaJe68PF0zjC/--