From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id OJyAGY7w+WR+pQAAG6o9tA:P1 (envelope-from ) for ; Thu, 07 Sep 2023 17:47:26 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id OJyAGY7w+WR+pQAAG6o9tA (envelope-from ) for ; Thu, 07 Sep 2023 17:47:26 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7DFED6D6B6 for ; Thu, 7 Sep 2023 17:47:25 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=P2FveyCY; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=riseup.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694101646; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=8JmXcpKWZ8tlHFnDFXmax65LNyvFfEVYSPiUx7pncsI=; b=cRwXNWVfxgHmj+UfNohA2kgdm/2MYnr5GkiojptQ9A6rKE/16VIZKkE6L4FHYljD0nrsbC q7NRMYxxTmY2KuyQSuXqQcWBohxDIh081yCrn3ZkV9v8Y0Q27L26XLyqGzDw0FNglkxGbQ Km6i3IPtC0c25Kaqo9UuQy1ww2S09icsgQxWlCghUn4GBFok2egG1nxxxkU8m9IDmRcawA R8KOj2237m3BZalw7WnNoGNEXzARGdI0AHW/7Wlbd/24ZMaHqulKDWFSSTlYu7lExnHNqk 2ZSdJ0hDp43c+cGUK7yKyxHbLtR+h/0Jg/MXIXw+bmK2giPvtQr5UNJMLz77/Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=P2FveyCY; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=riseup.net ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694101646; a=rsa-sha256; cv=none; b=dCsP0RUJoM6kpiHlpcoA2DX2jKitGTgCNM8YuQynyb5HWHJ5xQActx4ptUp8GmOQ7Lst1T j/EI/AscIXcAa5aySpr5/jxquzvjdn8+TfUxz3rET7NJGIzmWVQ1I/KcwJygC9UcztHaEv 2FNPXWdk2aC+dZr4w4b1ugO1LjDNhNxyoihdwufZ39q2Rz5jHQHvvGdzhLJoyoFGXBKb2F SXReSMzOoq4mqrAzVDYjHena36opeOojG9r801qBK7qM6xd/9rnwvzK9ptcw49HufFzNbP 0azZFKEtX3o6h3+KU7l0XQRFP+W1FurJRQzgOH7/ELf6CFulJfHIMVyW+vVbcg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qeHDQ-0007Bp-ES; Thu, 07 Sep 2023 11:46:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeHDO-0007Bc-SG for guix-devel@gnu.org; Thu, 07 Sep 2023 11:46:43 -0400 Received: from mx0.riseup.net ([198.252.153.6]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeHDK-00048C-SA for guix-devel@gnu.org; Thu, 07 Sep 2023 11:46:41 -0400 Received: from fews01-sea.riseup.net (fews01-sea-pn.riseup.net [10.0.1.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx0.riseup.net (Postfix) with ESMTPS id 4RhNrn1Wg3z9s1s; Thu, 7 Sep 2023 15:46:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1694101593; bh=866owtclAE9NKQL3WAm9pDIF7g2zyb7ZWRFi3YXOQ+o=; h=References:From:To:Cc:Subject:Date:In-reply-to:From; b=P2FveyCYaW4ahuXWzT54GXUwK1EoPNwsarQnZwaXnTcnDoRj3RjY23OKE280VcqXK eSbzS6vHu+jstDF5eOJVvVn2i1nLVIC7H5MViGCLBO/vcUI8vytdAPnv1DRhZqiq4y QeEw/418pE2QPIiBWBGeHW933QK547+MHZkLlbic= X-Riseup-User-ID: B98236F1A680B27CA2B1A6F275513078FF12C399AE4DD76D1B0D96615ADC1333 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews01-sea.riseup.net (Postfix) with ESMTPSA id 4RhNrY3XnKzJntb; Thu, 7 Sep 2023 15:46:21 +0000 (UTC) References: <87h6o9pbbv.fsf@riseup.net> <87h6o6kvhe.fsf@gmail.com> From: Distopico To: Simon Tournier Cc: guix-devel@gnu.org Subject: Re: Pinned versions should be a requirement. Date: Thu, 07 Sep 2023 10:35:43 -0500 In-reply-to: <87h6o6kvhe.fsf@gmail.com> Message-ID: <87pm2ux9yt.fsf@riseup.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=198.252.153.6; envelope-from=distopico@riseup.net; helo=mx0.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 7DFED6D6B6 X-Migadu-Scanner: mx1.migadu.com X-Migadu-Spam-Score: -11.88 X-Spam-Score: -11.88 X-TUID: 1ZYjFGaiSGfB --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2023-09-07, Simon Tournier wrote: > Hi, > > On Mon, 04 Sep 2023 at 21:59, Distopico wrote: > >> In my experience using Guix and attempting to make contributions, I've >> noticed that the vast majority of times when a library breaks, it's >> because one of its dependencies changed version. > > That=E2=80=99s because contributor and/or reviewer are not running > > guix refresh -l foobar > > for checking that all the dependants of foobar still build. Well, there > is no easy solution, although QA is helping. Note that this points is > not listed in the long list of Katherine, > > Re: How can we decrease the cognitive overhead for contributors? > Katherine Cox-Buday > Wed, 30 Aug 2023 10:11:02 -0600 > id:e47299e8-43f8-aac8-61ba-420daeb88bdd@gmail.com > https://yhetil.org/guix/e47299e8-43f8-aac8-61ba-420daeb88bdd@gmai= l.com > https://lists.gnu.org/archive/html/guix-devel/2023-08 > > > >> For instance, >> referencing something like `rust-my-lib-1`, where "1" refers to the >> semver "1.x" of the package, e.g., "1.0.32", and `rust-foo` depends on >> `rust-my-lib =3D=3D 1.0.32`. However, in some other package got updated = to >> "1.0.34" so `rust-foo` will break. I've seen this happen a lot with >> Haskell and Rust libraries. > > Well, from my point of view, the issue depends on the upstream package > ecosystem. Considering Haskell, we follow LTS, currently > > ;; Latest LTS version compatible with current GHC. > (define %default-lts-version "20.5") > > from the module (guix import stackage). And note the lint checker, > =E2=80=9Cguix lint -l=E2=80=9D: > > - haskell-stackage: Ensure Haskell packages use Stackage LTS versions > > In terms of haskell I notice an incompetence of versions so even GHC are semver the required version was other and several packages are taking "text" internal GHC type and no the required package, you can see that in this patch https://issues.guix.gnu.org/64840 >> For these reasons, I believe that pinned versions should be a >> requirement in libraries, always specifying the exact dependency, for >> example, `rust-serde-json-1.0.98`. > > In the Subject: of the message, it reads pinned/fixed. The difference > is: > > + 'pinned': version that rarely changes > + 'fixed': mainly the ones with security fixes used as grafts > > as discussed in [1]. Maybe you already know, it is just in case or for > other potential readers. :-) > > For this case I'm referring mostly to pinned versions as requirement but for LTS packages fixed could good as well >> Additionally, I believe that a command to list the dependency tree of a >> package would be ideal for easier debugging. > > Do you mean =E2=80=9Cguix refresh -l=E2=80=9D? > > --8<---------------cut here---------------start------------->8--- > $ guix refresh -l gmsh > Building the following 3 packages would ensure 4 dependent packages are r= ebuilt: openfoam-com@2212 python-pygmsh@7.1.17 openfoam-org@10.20230119 > $ guix build $(guix refresh -l gmsh | cut -d':' -f2) > =E2=80=A6 build all packages impacted by a change in the package gmsh= =E2=80=A6 > --8<---------------cut here---------------end--------------->8--- > I'm referring to something more like `cargo tree --depth=3DN` or `cabal fre= eze` to see all the dependencias like =2D-8<---------------cut here---------------start------------->8--- my_package v0.1.0 (/gnu/rust.scm) =E2=94=94=E2=94=80=E2=94=80 rust-rand v0.7.3 =E2=94=9C=E2=94=80=E2=94=80 rust-getrandom v0.1.14 =E2=94=82 =E2=94=9C=E2=94=80=E2=94=80 rust-cfg-if v0.1.10 =E2=94=82 =E2=94=94=E2=94=80=E2=94=80 rust-libc v0.2.68 =E2=94=9C=E2=94=80=E2=94=80 rust-libc v0.2.68 (*) =E2=94=9C=E2=94=80=E2=94=80 rust-rand_chacha v0.2.2 =E2=94=82 =E2=94=9C=E2=94=80=E2=94=80 rust-ppv-lite86 v0.2.6 =E2=94=82 =E2=94=94=E2=94=80=E2=94=80 rust-rand-core v0.5.1 =E2=94=82 =E2=94=94=E2=94=80=E2=94=80 rust-libc v0.1.14 (*) ---->= > We can detect this! =E2=94=94=E2=94=80=E2=94=80 rust-rand-core v0.5.1 (*) [native-inputs] =E2=94=94=E2=94=80=E2=94=80 cc v1.0.50 =2D-8<---------------cut here---------------end--------------->8--- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFJBAEBCAAzFiEEvYwofabWO6y953lVmAk6gHJUa/MFAmT58EoVHGRpc3RvcGlj b0ByaXNldXAubmV0AAoJEJgJOoByVGvzfdQH/3xa2ZmbTTOP0tQealVeMNyHA++k whVVUkXlbsg7ZpLuWJ+iQapM6Rf34Be5edCGbDt6Xezb7p+tg09q/MI7htvCw7Tf wjfo+/Qo7BzDqFYN0cdDcDxxYhnmK4ww1rmOxsJ3jxDIcxjtTPAq7qK4tNyF6ApH 9jEWbqBVMiK6tGH2Dx+fjk4Z0kONCXvS6cRQYgAmkK7+noxoG+Ekuh5Opq+24mWz AqdJfrj4Jo0gXgQt7jzUPaSz5Yh994pfdXibCks1AHeJKzsX/9DlY2PlkMAa8ors RRWc4cAu8OwQwcoAZYqauKGLB/9v8a2HnpeZXKSabQmM3R5kHSzXIUecmKw= =M8Gh -----END PGP SIGNATURE----- --=-=-=--