[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pinned/fixed versions should be a requirement.
|
From: |
Liliana Marie Prikler |
|
Subject: |
Re: Pinned/fixed versions should be a requirement. |
|
Date: |
Sun, 10 Sep 2023 01:30:12 +0200 |
|
User-agent: |
Evolution 3.46.4 |
In this thread: Rust has a broken packaging model, so let's apply that.
Am Montag, dem 04.09.2023 um 21:59 -0500 schrieb Distopico:
> Many libraries in different languages don't follow semver, which can
> lead to cases like `rust-serde-json`, which, between versions
> "1.0.97" and "1.0.98," changed its dependency from `indexmap` "1.x"
> to "2.x," causing several packages like rust-analyzer to break. I've
> also observed this in Haskell with packages like "text."
The thing here is, that cargo itself also relies on semantic
versioning. In fact, I am befuzzled as to why a dependency on
"indexmap" should affect serde-json's public API and probably so where
the serde folks. Then again, coming from the GNOME world, libsoup3
wasn't really a silent bomb either.
Btw. note to everyone reading this thread, if you ever consider
updating serde: skip versions [1.0.172, 1.0.185). Thanks :)
> This is problematic because:
>
> - Over time, it becomes more vulnerable to libraries/packages
> breaking.
>
> - It makes reproducible software more challenging, as "1.x" can
> encompass many versions.
>
> - Debugging becomes difficult since that package could be a deep
> dependency in the system package dependency chain, such as
> Rust/Haskell/NPM, etc.
>
> - It makes it more likely that if a dependency changes, many
> packages will need to be updated/rebuilt due to that change.
>
> For these reasons, I believe that pinned versions should be a
> requirement in libraries, always specifying the exact dependency, for
> example, `rust-serde-json-1.0.98`.
This goes contrary to even rust's development model that only forces
lock files onto applications and not libraries. Now, you make a good
point in that pinned versions save us some trouble, but they can also
trouble on their own. Rust dependencies are basically glorified
propagated-inputs, but with none of the `guix graph' support, so
they're both incredibly hard to detect with our current tooling *and*
they allow for two pinned versions X and Y to cause a potential
conflict. Indeed a recipe for fun times :)
I think we need to actually capture these links so that we can more
easily detect potentially critical changes to the rust ecosystem and
stick to our tried and tested recipe of "only touch these ones on
feature branches, mkay?". Do you know what goes into serde? I know I
don't. On that note, does anyone have an ETA for antioxidant?
Cheers
PS: Also consider that software written in Rust may contain bugs that
we need to patch out. Upgrading a package that adheres to SemVer as it
ought to according to Rust standards is already non-trivial enough.
Now try that along with writing a sed script to replace it in every
input. Quickly gets very annoying.