[rust-dev] Deprecating rustpkg
bascule at gmail.com
Fri Jan 31 16:09:21 PST 2014
On Fri, Jan 31, 2014 at 4:03 PM, Lee Braiden <leebraid at gmail.com> wrote:
> This would be counterproductive. If a library cannot be upgraded to 1.9,
> or even 2.2, because some app REQUIRES 1.4, then that causes SERIOUS,
> SECURITY issues.
Yes, these are exactly the types of problems I want to help solve. Many
people on this thread are talking about pinning to specific versions of
libraries. This will prevent upgrades in the event of a security problem.
Good dependency resolvers work on constraints, not specific versions.
The ONLY realistic way I can see to solve this, is to have all higher
> version numbers of the same package be backwards compatible, and have
> incompatible packages be DIFFERENT packages, as I mentioned before.
> Really, there is a contract here: an API contract.
Are you familiar with semantic versioning?
Semantic Versioning would stipulate that a backwards incompatible change in
an API would necessitate a MAJOR version bump. This indicates a break in
the original contract.
Ideally if people are using multiple major versions of the same package,
and a security vulnerability is discovered which affects all versions of a
package, that the package maintainers release a hotfix for all major
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Rust-dev