On 2023-09-10, Liliana Marie Prikler <liliana.prik...@gmail.com> wrote:
Hi Liliana, >> This is problematic because: >> >> - Over time, it becomes more vulnerable to libraries/packages >> breaking. >> >> - It makes reproducible software more challenging, as "1.x" can >> encompass many versions. >> >> - Debugging becomes difficult since that package could be a deep >> dependency in the system package dependency chain, such as >> Rust/Haskell/NPM, etc. >> >> - It makes it more likely that if a dependency changes, many >> packages will need to be updated/rebuilt due to that change. >> >> For these reasons, I believe that pinned versions should be a >> requirement in libraries, always specifying the exact dependency, for >> example, `rust-serde-json-1.0.98`. > This goes contrary to even rust's development model that only forces > lock files onto applications and not libraries. Now, you make a good > point in that pinned versions save us some trouble, but they can also > trouble on their own. Rust dependencies are basically glorified > propagated-inputs, but with none of the `guix graph' support, so > they're both incredibly hard to detect with our current tooling *and* > they allow for two pinned versions X and Y to cause a potential > conflict. Indeed a recipe for fun times :) > > I think we need to actually capture these links so that we can more > easily detect potentially critical changes to the rust ecosystem and > stick to our tried and tested recipe of "only touch these ones on > feature branches, mkay?". Do you know what goes into serde? I know I > don't. On that note, does anyone have an ETA for antioxidant? > > Cheers > > PS: Also consider that software written in Rust may contain bugs that > we need to patch out. Upgrading a package that adheres to SemVer as it > ought to according to Rust standards is already non-trivial enough. > Now try that along with writing a sed script to replace it in every > input. Quickly gets very annoying. Beyond Rust, an example of a language/packages ecosystem that does not follow semantic versioning at all is JavaScript/Npm. Most packages in node-xyz[1] do not reference a version; they simply use the global input. For now, the number of npm/node packages is small, but with time, that could become a problem. Footnotes: [1] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/node-xyz.scm#n193