Re: Pinned/fixed versions should be a requirement.

[Distopico <distopico@riseup.net>]

On 2023-09-10, Liliana Marie Prikler <liliana.prikler@gmail.com> wrote:

Hi Liliana,

>> This is problematic because:
>> 
>>     - Over time, it becomes more vulnerable to libraries/packages
>>       breaking.
>> 
>>     - It makes reproducible software more challenging, as "1.x" can
>>       encompass many versions.
>> 
>>     - Debugging becomes difficult since that package could be a deep
>>       dependency in the system package dependency chain, such as
>>       Rust/Haskell/NPM, etc.
>> 
>>     - It makes it more likely that if a dependency changes, many
>>       packages will need to be updated/rebuilt due to that change.
>> 
>> For these reasons, I believe that pinned versions should be a
>> requirement in libraries, always specifying the exact dependency, for
>> example, `rust-serde-json-1.0.98`.
> This goes contrary to even rust's development model that only forces
> lock files onto applications and not libraries.  Now, you make a good
> point in that pinned versions save us some trouble, but they can also
> trouble on their own.  Rust dependencies are basically glorified
> propagated-inputs, but with none of the `guix graph' support, so
> they're both incredibly hard to detect with our current tooling *and*
> they allow for two pinned versions X and Y to cause a potential
> conflict.  Indeed a recipe for fun times :)
>
> I think we need to actually capture these links so that we can more
> easily detect potentially critical changes to the rust ecosystem and
> stick to our tried and tested recipe of "only touch these ones on
> feature branches, mkay?".  Do you know what goes into serde?  I know I
> don't.  On that note, does anyone have an ETA for antioxidant?
>
> Cheers
>
> PS: Also consider that software written in Rust may contain bugs that
> we need to patch out.  Upgrading a package that adheres to SemVer as it
> ought to according to Rust standards is already non-trivial enough. 
> Now try that along with writing a sed script to replace it in every
> input.  Quickly gets very annoying.

Beyond Rust, an example of a language/packages ecosystem that does not
follow semantic versioning at all is JavaScript/Npm. Most packages in
node-xyz[1] do not reference a version; they simply use the global
input. For now, the number of npm/node packages is small, but with time,
that could become a problem.

Footnotes:
[1]  https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/node-xyz.scm#n193