[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pinned/fixed versions should be a requirement.
|
From: |
Distopico |
|
Subject: |
Re: Pinned/fixed versions should be a requirement. |
|
Date: |
Sat, 09 Sep 2023 20:37:37 -0500 |
On 2023-09-10, Liliana Marie Prikler <liliana.prikler@gmail.com> wrote:
Hi Liliana,
>> This is problematic because:
>>
>> - Over time, it becomes more vulnerable to libraries/packages
>> breaking.
>>
>> - It makes reproducible software more challenging, as "1.x" can
>> encompass many versions.
>>
>> - Debugging becomes difficult since that package could be a deep
>> dependency in the system package dependency chain, such as
>> Rust/Haskell/NPM, etc.
>>
>> - It makes it more likely that if a dependency changes, many
>> packages will need to be updated/rebuilt due to that change.
>>
>> For these reasons, I believe that pinned versions should be a
>> requirement in libraries, always specifying the exact dependency, for
>> example, `rust-serde-json-1.0.98`.
> This goes contrary to even rust's development model that only forces
> lock files onto applications and not libraries. Now, you make a good
> point in that pinned versions save us some trouble, but they can also
> trouble on their own. Rust dependencies are basically glorified
> propagated-inputs, but with none of the `guix graph' support, so
> they're both incredibly hard to detect with our current tooling *and*
> they allow for two pinned versions X and Y to cause a potential
> conflict. Indeed a recipe for fun times :)
>
> I think we need to actually capture these links so that we can more
> easily detect potentially critical changes to the rust ecosystem and
> stick to our tried and tested recipe of "only touch these ones on
> feature branches, mkay?". Do you know what goes into serde? I know I
> don't. On that note, does anyone have an ETA for antioxidant?
>
> Cheers
>
> PS: Also consider that software written in Rust may contain bugs that
> we need to patch out. Upgrading a package that adheres to SemVer as it
> ought to according to Rust standards is already non-trivial enough.
> Now try that along with writing a sed script to replace it in every
> input. Quickly gets very annoying.
Beyond Rust, an example of a language/packages ecosystem that does not
follow semantic versioning at all is JavaScript/Npm. Most packages in
node-xyz[1] do not reference a version; they simply use the global
input. For now, the number of npm/node packages is small, but with time,
that could become a problem.
Footnotes:
[1]
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/node-xyz.scm#n193
- Pinned/fixed versions should be a requirement., Distopico, 2023/09/04
- Re: Pinned/fixed versions should be a requirement., wolf, 2023/09/05
- Re: Pinned versions should be a requirement., Simon Tournier, 2023/09/07
- Re: Pinned/fixed versions should be a requirement., Attila Lendvai, 2023/09/09
- Re: Pinned/fixed versions should be a requirement., Liliana Marie Prikler, 2023/09/09
- Re: Pinned/fixed versions should be a requirement.,
Distopico <=
- Re: Pinned/fixed versions should be a requirement, Nguyễn Gia Phong, 2023/09/27