guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pinned/fixed versions should be a requirement

From: Nguyễn Gia Phong
Subject: Re: Pinned/fixed versions should be a requirement
Date: Wed, 27 Sep 2023 16:51:04 +0900 
The dependency graph visualization has been discussed
by others more knowledgable of the Guix ecosystem than me,
so I'll focus on titled topic.

On 2023-09-04 at 21:59-05:00, Distopico wrote:
> `rust-my-lib-1`, where "1" refers to the semver "1.x" of the package,
> e.g., "1.0.32", and `rust-foo` depends on `rust-my-lib == 1.0.32`.
> However, in some other package got updated to "1.0.34" so `rust-foo`
> will break.
>
> [...] It makes it more likely that if a dependency changes,
> many packages will need to be updated/rebuilt due to that change.

This is not a bug but a feature, so that a fix can be rolled out
simutaneously to many if not all programs.  Recall the OpenSSL
incidents, and more recently, libwebp.

IMHO as software integrator, distribution maintainers
should provide feedback to upstream to relax version pinning,
preferably with patches.  I know first-hand this is not easy,
but otherwise we might as well just tell users to directly
invoke e.g. Cargo, since packaging without system-wide
integration is just extra hassle without any of the security benefits.

In the alternative world where dependencies are pinned,
distros can also patch each vulnerable version, but delaying
efforts until emergency is hardly wise.

On 2023-09-04 at 21:59-05:00, Distopico wrote:
> Over time, it becomes more vulnerable to libraries/packages breaking.

I'd like to add that this is not wall clock time, but labor time.
This would not be an issue if Guix has enough contributors
(and maintainers to actually apply to patches) to perform integration,
as discussed in the parallel thread.

On 2023-09-04 at 21:59-05:00, Distopico wrote:
> It makes reproducible software more challenging,
> as "1.x" can encompass many versions.

FMIIW, but the Guix way of reproducibility expects
both channel version and derivation name[, version].
With free software philosophy in mind, reproducibility
is not so beneficial without the ease of modification,
which in this context includes changing dependency[ version].

I'm speaking as someone primarily using Nix and seek Guix
for correctness, e.g. not making it impossible to patch
a Go library system-wide.

On 2023-09-04 at 21:59-05:00, Distopico wrote:
> For these reasons, I believe that pinned versions should be a
> requirement in libraries, always specifying the exact dependency, for
> example, `rust-serde-json-1.0.98`.
>
> This brings the following benefits:
>
> - Fewer packages will be prone to rebuilding
>   when changing the definition of a library.
> - Reduced likelihood of libraries/packages breaking.
> - Easier maintenance of packages and libraries
>   without fear of breaking others or having to update many.

I'd like to point out these exact benefits could be achieved
by distributing binary built by upstream.

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]