From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id oJUHCaYg/WRwCwEAG6o9tA:P1 (envelope-from ) for ; Sun, 10 Sep 2023 03:49:26 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id oJUHCaYg/WRwCwEAG6o9tA (envelope-from ) for ; Sun, 10 Sep 2023 03:49:26 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1EA5C49A0F for ; Sun, 10 Sep 2023 03:49:25 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=IKGI264p; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=riseup.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694310566; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=PtJpEIwMNuoCmoDGCE1MB/xFJzHDAFNyy7EnpTzfzlU=; b=RsAIp6Hk9lFrdVeTlr3C+CpBaDX9LajtcWupMEOfdc67DNjrkXTbFWja9WiAEa0MdjQbtm fYeBR0i/S+Swv6bl2c2ANq1VoBd0fiHrC2Djs8swRY8YTTZ9srzTqNMfRDzge8qezDrlzv XvT1Er54ePwGrxLIWbttQA84INnZe8poMAcnqpvY7qjPnIZdzX4Ll7etODu6XpcAcRWupq Z7CGIVvqghCMuWM48EDNTZb5qpECKH2Peh69iuVYh4NDV4ywomEiOGmuVuIl0P9lX1FxWQ W3BAS29W3kHIStC72zlmdK4n6FTAarfWaJ6IStvf1wp5IbfKvGEH1PWrQO/egg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=IKGI264p; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=riseup.net ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694310566; a=rsa-sha256; cv=none; b=EqOVCx4+EfdWjIGqU9JCDaSSAVOfbBjL+IBJyEKmhbsg+yDkTuxQc/mstpLE7mp/gNlQVz mStD07kIgVDV2G2Tbu9lVogE2fe3PmALl/AWgMxZorFSj+1hA70W2W+e7zloTLyhmB3QE/ kKSaCMtkNmrH9TWsjQEl4CLkLsA346/RsEIMZnxS8o7n0Z/KVnd/SKbxtileQWkgrYH1s/ kVuX1dX46YAl/byNhmCBnellafZ5QwMdBk+5U3+dIakyb0EIl8S9TwGSCFWqHywRAhRFkI +v8elRllw47h9OjjNVh5/Y8KghpSGa2W/DfZMg3qwUVk5StS1H5dwr6HElzlyg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qf9ZI-00008e-JH; Sat, 09 Sep 2023 21:48:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qf9ZG-00008G-VP for guix-devel@gnu.org; Sat, 09 Sep 2023 21:48:54 -0400 Received: from mx1.riseup.net ([198.252.153.129]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qf9ZE-0008Hk-B3 for guix-devel@gnu.org; Sat, 09 Sep 2023 21:48:54 -0400 Received: from fews02-sea.riseup.net (fews02-sea-pn.riseup.net [10.0.1.112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx1.riseup.net (Postfix) with ESMTPS id 4Rjt6n0nNGzDqXc; Sun, 10 Sep 2023 01:48:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1694310529; bh=DvmYBmDAUJ9tWwx/xV/JAhQ44BZ0XjYUYpqKfRjTrRE=; h=References:From:To:Cc:Subject:Date:In-reply-to:From; b=IKGI264p2ozQgwNv5TnsAZI7wlx8fjWTkUAhRUyjarQzyVzeVUJz5qI66Ios3RRnj MzkYPiySaHlXH892/2Zp8Co1sFRcF/vw4PjUGqlc53nUt+DrAnGKdmd5Tt85rD1lc1 ezghCtLZxk8WlvzBOxwOE6oe/0Dszet09J0v9Bbo= X-Riseup-User-ID: 9ADAB4932057F55681D50DE9668701D82238976257EDE28F384B24DC4BF1B450 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews02-sea.riseup.net (Postfix) with ESMTPSA id 4Rjt6m2HYVzFpqZ; Sun, 10 Sep 2023 01:48:48 +0000 (UTC) References: <87h6o9pbbv.fsf@riseup.net> <4f054d0dc06d72d3e3c3d8cf368aa46ea7417552.camel@gmail.com> From: Distopico To: Liliana Marie Prikler Cc: guix-devel@gnu.org Subject: Re: Pinned/fixed versions should be a requirement. Date: Sat, 09 Sep 2023 20:37:37 -0500 In-reply-to: <4f054d0dc06d72d3e3c3d8cf368aa46ea7417552.camel@gmail.com> Message-ID: <87bkea23ya.fsf@riseup.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=198.252.153.129; envelope-from=distopico@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 1EA5C49A0F X-Migadu-Scanner: mx1.migadu.com X-Migadu-Spam-Score: -6.78 X-Spam-Score: -6.78 X-TUID: NpIxgncV05dz On 2023-09-10, Liliana Marie Prikler wrote: Hi Liliana, >> This is problematic because: >>=20 >> =C2=A0=C2=A0=C2=A0 - Over time, it becomes more vulnerable to libraries/= packages >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 breaking. >>=20 >> =C2=A0=C2=A0=C2=A0 - It makes reproducible software more challenging, as= "1.x" can >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 encompass many versions. >>=20 >> =C2=A0=C2=A0=C2=A0 - Debugging becomes difficult since that package coul= d be a deep >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dependency in the system package dependen= cy chain, such as >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Rust/Haskell/NPM, etc. >>=20 >> =C2=A0=C2=A0=C2=A0 - It makes it more likely that if a dependency change= s, many >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 packages will need to be updated/rebuilt = due to that change. >>=20 >> For these reasons, I believe that pinned versions should be a >> requirement in libraries, always specifying the exact dependency, for >> example, `rust-serde-json-1.0.98`. > This goes contrary to even rust's development model that only forces > lock files onto applications and not libraries. Now, you make a good > point in that pinned versions save us some trouble, but they can also > trouble on their own. Rust dependencies are basically glorified > propagated-inputs, but with none of the `guix graph' support, so > they're both incredibly hard to detect with our current tooling *and* > they allow for two pinned versions X and Y to cause a potential > conflict. Indeed a recipe for fun times :) > > I think we need to actually capture these links so that we can more > easily detect potentially critical changes to the rust ecosystem and > stick to our tried and tested recipe of "only touch these ones on > feature branches, mkay?". Do you know what goes into serde? I know I > don't. On that note, does anyone have an ETA for antioxidant? > > Cheers > > PS: Also consider that software written in Rust may contain bugs that > we need to patch out. Upgrading a package that adheres to SemVer as it > ought to according to Rust standards is already non-trivial enough.=20 > Now try that along with writing a sed script to replace it in every > input. Quickly gets very annoying. Beyond Rust, an example of a language/packages ecosystem that does not follow semantic versioning at all is JavaScript/Npm. Most packages in node-xyz[1] do not reference a version; they simply use the global input. For now, the number of npm/node packages is small, but with time, that could become a problem. Footnotes: [1] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/node-xyz.= scm#n193