[rust-dev] Deprecating rustpkg

Tony Arcieri bascule at gmail.com
Fri Jan 31 16:09:21 PST 2014


On Fri, Jan 31, 2014 at 4:03 PM, Lee Braiden <leebraid at gmail.com> wrote:

> This would be counterproductive.  If a library cannot be upgraded to 1.9,
> or even 2.2, because some app REQUIRES 1.4, then that causes SERIOUS,
> SECURITY issues.
>

Yes, these are exactly the types of problems I want to help solve. Many
people on this thread are talking about pinning to specific versions of
libraries. This will prevent upgrades in the event of a security problem.

Good dependency resolvers work on constraints, not specific versions.

The ONLY realistic way I can see to solve this, is to have all higher
> version numbers of the same package be backwards compatible, and have
> incompatible packages be DIFFERENT packages, as I mentioned before.
>
> Really, there is a contract here: an API contract.


Are you familiar with semantic versioning?

http://semver.org/

Semantic Versioning would stipulate that a backwards incompatible change in
an API would necessitate a MAJOR version bump. This indicates a break in
the original contract.

Ideally if people are using multiple major versions of the same package,
and a security vulnerability is discovered which affects all versions of a
package, that the package maintainers release a hotfix for all major
versions.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140131/a622f995/attachment.html>


More information about the Rust-dev mailing list