On Mon, Feb 17, 2020 at 03:35:20PM +0100, Ludovic Courtès wrote:
> Hi Martin & Efraim,
> 
> Thinking more about it, I’m not sure I fully understand why we need to
> pay attention to semver here:
> 
> Martin Becze <mjbecze@riseup.net> skribis:
> 
> > +(define* (crate->guix-package crate-name #:key version #:allow-other-keys)
> >    "Fetch the metadata for CRATE-NAME from crates.io, and return the
> >  `package' s-expression corresponding to that package, or #f on failure.
> >  When VERSION is specified, attempt to fetch that version; otherwise fetch the
> >  latest version of CRATE-NAME."
> >  
> > +  (define (semver-range-contains-string? range version)
> > +    (semver-range-contains? (string->semver-range range)
> > +                            (string->semver version)))
> > +
> >    (define (normal-dependency? dependency)
> > -    (eq? (crate-dependency-kind dependency) 'normal))
> > +    (or (eq? (crate-dependency-kind dependency) 'build)
> > +        (eq? (crate-dependency-kind dependency) 'normal)))
> >  
> >    (define crate
> >      (lookup-crate crate-name))
> > @@ -204,21 +218,36 @@ latest version of CRATE-NAME."
> >      (or version
> >          (crate-latest-version crate)))
> >  
> > -  (define version*
> > +  (define (find-version crate range)
> > +    "finds the a vesion of a crate that fulfils the semver <range>"
> >      (find (lambda (version)
> > -            (string=? (crate-version-number version)
> > -                      version-number))
> > +            (semver-range-contains-string?
> > +             range
> > +             (crate-version-number version)))
> >            (crate-versions crate)))
> 
> The reason I wonder is that the HTTP API gives us rather precise
> dependency requirements:
> 
> --8<---------------cut here---------------start------------->8---
> scheme@(guix import crate)> (crate-version-dependencies (car (crate-versions (lookup-crate "blake2-rfc"))))
> $8 = (#<<crate-dependency> id: "arrayvec" kind: normal requirement: "^0.4.6"> #<<crate-dependency> id: "constant_time_eq" kind: normal requirement: "^0.1.0"> #<<crate-dependency> id: "data-encoding" kind: dev requirement: "^2.0.0"> #<<crate-dependency> id: "clippy" kind: normal requirement: "^0.0.41">)
> --8<---------------cut here---------------end--------------->8---
> 
> In the example above, the importer could “just” fetch version 0.4.6 of
> arrayvec, version 0.1.0 of constant_time_eq, etc., no?
> 
> It’s an approximation because the caret (^) means more than just this,
> but hopefully it’s a good approximation.
> 
> Am I missing something?
> 
> Ludo’.

Here we're looking at a minimum of 0.4.6 for arrayvec. According to
here¹ we'd really want to import 0.4.12, which is the latest 0.4.x
release.

¹ https://crates.io/crates/arrayvec/versions


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted