From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id eHMEBoeb9mTy4AAAauVa8A:P1 (envelope-from ) for ; Tue, 05 Sep 2023 05:07:51 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id eHMEBoeb9mTy4AAAauVa8A (envelope-from ) for ; Tue, 05 Sep 2023 05:07:51 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0BA4E580C6 for ; Tue, 5 Sep 2023 05:07:50 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=lqO2AzdF; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=riseup.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1693883271; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=TyPLgoFMAGSnFWGIyRaLRXFZsg7it/F7fmVedvoFEP8=; b=buMXVnmKM3EWKaFHYl8H/FEWLqu+I1PSxsajvtTfBz8croB+46vluaNs+B5P++4To8lZJe jj3rffCVIRcmDkdA3fSqKeNKeu3SAT/j74SPf5gWYtxD1wgEn63XWHRG5HHP4Ba18JmL2J GPrrM7B+2ITG7clB9NtE9daNhbe1LwFrW8Qa0LiBFJWztMxSyM/qFCQEvUQZOWJqTckVFZ 3cw+6xK88NWv/11lBs6O8e5Txj/JM8Sq1k35jW8PAGIasCEwyGOX1FbzFE5t6ONsdnvoC8 JhPXJFzxb5p+xvnOA7t2DKLJ0CFmaeI8ftIG1Y3VVn9lFDlBrzsdGP2xrbihbg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1693883271; a=rsa-sha256; cv=none; b=lFMsMtY54cNpFmZE4l4i51zdghZDpi9EKT/+D8E/5nBBDmXgZVZS7T6BfJefO3CRf5xWHV fuBuTY66SicNktCbc13G7/dv2xJXarC+sjsDtOUjS2PLKMOJZAdMB2Xf+Q2ntwNE6W/Yp6 8Na8O+h8/QnUog84t/itLw0XJ+EmVuDKlMuKhnMWddll0q8ATXQNlJGWMqUr/EbvbeCpi1 mSVZcroRTqDxneXB4kjt2RC67eKa6+79W9Ou4EkDP13FGz2M2oT70Z2r61MpVUuEbkbRPx G4/Go16DOoudEWjwZLNcKVigjQhKT0sZ96050YFKZ6MtTG+MAMJY5wpa9qWmCQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=lqO2AzdF; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=riseup.net Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qdMPT-00066k-Vj; Mon, 04 Sep 2023 23:07:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qdMPT-00066b-AQ for guix-devel@gnu.org; Mon, 04 Sep 2023 23:07:23 -0400 Received: from mx0.riseup.net ([198.252.153.6]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qdMPQ-00076C-Nf for guix-devel@gnu.org; Mon, 04 Sep 2023 23:07:23 -0400 Received: from fews01-sea.riseup.net (fews01-sea-pn.riseup.net [10.0.1.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx0.riseup.net (Postfix) with ESMTPS id 4Rfr5g2sj9z9tCj for ; Tue, 5 Sep 2023 03:07:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1693883239; bh=a15brNC4FWcqnl43KOYpvaYjSVIddqvS9135LaBQ0a0=; h=From:To:Subject:Date:From; b=lqO2AzdFs99MyAq2hQZwCkm+AzLvbWFAhjGqQO3DoDfUdpuaseLC34zHhx9ZW8V+c ONgYVKyYwOYbdrsO9vFC2I7kBPm57slRsWMjrlZj8Z+q4zibTcpejrPBfsVD32HheT xVvREXGDP9nJsb1D1kNByzOOnX4c9PfDoLtSVICI= X-Riseup-User-ID: B12D3D8E8C3E1F12C01DA4E7EE3F7FDC3628169C01989E14D5062C1C6DAA4FAF Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews01-sea.riseup.net (Postfix) with ESMTPSA id 4Rfr5f6Bv3zJnsk for ; Tue, 5 Sep 2023 03:07:18 +0000 (UTC) From: Distopico To: guix-devel@gnu.org Subject: Pinned/fixed versions should be a requirement. Date: Mon, 04 Sep 2023 21:59:47 -0500 Message-ID: <87h6o9pbbv.fsf@riseup.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=198.252.153.6; envelope-from=distopico@riseup.net; helo=mx0.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Spam-Score: -9.06 X-Migadu-Queue-Id: 0BA4E580C6 X-Migadu-Spam-Score: -9.06 X-TUID: M+GNBxQucgr+ --=-=-= Content-Type: text/plain In my experience using Guix and attempting to make contributions, I've noticed that the vast majority of times when a library breaks, it's because one of its dependencies changed version. For instance, referencing something like `rust-my-lib-1`, where "1" refers to the semver "1.x" of the package, e.g., "1.0.32", and `rust-foo` depends on `rust-my-lib == 1.0.32`. However, in some other package got updated to "1.0.34" so `rust-foo` will break. I've seen this happen a lot with Haskell and Rust libraries. Many libraries in different languages don't follow semver, which can lead to cases like `rust-serde-json`, which, between versions "1.0.97" and "1.0.98," changed its dependency from `indexmap` "1.x" to "2.x," causing several packages like rust-analyzer to break. I've also observed this in Haskell with packages like "text." This is problematic because: - Over time, it becomes more vulnerable to libraries/packages breaking. - It makes reproducible software more challenging, as "1.x" can encompass many versions. - Debugging becomes difficult since that package could be a deep dependency in the system package dependency chain, such as Rust/Haskell/NPM, etc. - It makes it more likely that if a dependency changes, many packages will need to be updated/rebuilt due to that change. For these reasons, I believe that pinned versions should be a requirement in libraries, always specifying the exact dependency, for example, `rust-serde-json-1.0.98`. This brings the following benefits: - Fewer packages will be prone to rebuilding when changing the definition of a library. - Reduced likelihood of libraries/packages breaking. - Easier maintenance of packages and libraries without fear of breaking others or having to update many. There could be some potential disadvantages: - The list of library versions may grow larger, making it harder to detect orphaned or unused versions. Additionally, I believe that a command to list the dependency tree of a package would be ideal for easier debugging. Regards! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFJBAEBCAAzFiEEvYwofabWO6y953lVmAk6gHJUa/MFAmT2m2QVHGRpc3RvcGlj b0ByaXNldXAubmV0AAoJEJgJOoByVGvzGD0H/A1HhxHxl70w4MT0eFYXJv2ce2qE LMZTz3auTxih0u+vb8ubOdQX8lJzb7JpHPEBt/xufJwC7Z+qHqYnbguYsIcGgWh+ wlQVPpcyZl7qAK/pkPClq7/feNe+cGhuNr+jXviYWAgyJPyqAWmzaiiLPMiNdujA O+5znXaU0ZWYJMm8ONMUrAnNqVrJ5gbtZyLnWIvjbcHRgP9MBP37Tw3mmy//qF21 mzC/fMGTqDEzpNdfYcQCG7o7+wclZvXFJyfV69Rh/wFHy9GBW3mlWXtmPkYgyQ1H v+8SNeP2VnyA24klfI+0vwoKHm4EM2dYZh6LMPIGGs3j/iQV6GNHxYrERlY= =JUtl -----END PGP SIGNATURE----- --=-=-=--