Adopt a new dependency updating strategy. #990
Conversation
xStrom
added
maintenance
xStrom
changed the title
There was a problem hiding this comment.
Thanks a lot for writing this down!
I love such write-ups, but I don't think everyone wants to read through the whole section. A TLDR for the main dependencies section, just stating that we only test the newest versions and can't verify the old ones, would probably be the best. And maybe move the details after the 'how to upgrade' section as I could look a bit intimidating.
CONTRIBUTING.md
Outdated
| Now we'll use the `cargo upgrade` command to update all the versions in the `Cargo.toml` | ||
| files to match the versions specified in `Cargo.lock`. It's crucial that we use the | ||
| `--to-lockfile` option, because without it `cargo upgrade` won't respect semver. |
There was a problem hiding this comment.
Now we'll use the cargo upgrade --to-lockfile command...
There was a problem hiding this comment.
I reworded this whole paragraph so that it's more clear that --to-lockfile needs to be used.
|
I agree. This concept goes for more than just Rust, tracking the |
|
I'm no fan of TLDR, but I'm willing to compromise so I added a bold introduction sentence that summarizes the text. I kept the description of why the updating is being done before showing the commands how to do it. To me that is the most logical order of steps. I do want to address the intimidation factor though, so I added a new intro paragraph explaining that the release preparation stuff is meant primarily for existing contributors and also serves as a checklist. That should make it more clear to newcomers that they don't need to read it. |
There was a problem hiding this comment.
I think it's good to be clear about this stuff, and I think it's good to delete Cargo.lock.
On aggressively updating to minor versions: I would be curious to know if there is an accepted practice for this stuff. My inclination is to generally (with, say, serde as a concrete example) keep the version in our cargo.toml at 1.0. The motivation here is that it allows maximum flexibility; if we have serde at 1.22.0 and a client is using another library with serde = 1.17, we are now forcing them to include two versions of serde.
A lot of this comes down to how much we trust semver. as mentioned inline, my inclination is to trust; if an author breaks it we should report upstream and they should yank that release, and I would expect most library authors to do this. If we encounter a specific concern around something like this, we could always repin that specific dependency.
so I'm happy to be convinced here, but I want to make sure we're thinking it through. What I would find really compelling is a link to some discussion from a widely used rust library explaining how they approach this problem, and their rationale; I want to make sure we get this right.
| Because the final application chooses the sub-dependency versions and they are most likely | ||
| going to be higher than the minimum that is specified in our `Cargo.toml` file, | ||
| we need to make sure that druid works properly with these newer versions. | ||
| Yes according to [semver] rules they should work, but library authors make mistakes |
There was a problem hiding this comment.
I am inclined to trust reported semver versions, and also trust maintainers of crates we use (and those should generally be few crates, of a high standard) to yank releases that break semver.
|
Thanks for writing this up. Should we also include, that the grouping order of imports should be: |
|
In your example where druid has As for reporting if someone breaks semver - I absolutely agree. That's one of the main goals of this strategy change. Because right now with the current For a widely used example, there's Rust itself. There's rust#57435 where a question is asked:
.. and then answered by a Rust team member:
Then there's rust#57443 where there is discussion and movement towards automating this. This is the thread from where I found So ultimately the changes boil down to two points:
|
I wrote much of the rationale for this PR as documentation in
CONTRIBUTING.mdunder a new Preparing for a new release section. I'm not totally sure ifCONTRIBUTING.mdis the correct place for this kind of stuff, as it is more geared towards existing contributors than new ones. It is meant for contributors though, so perhaps it's just the right place.This PR deletes
Cargo.lockbecause it causes more harm than good. It's generally not a good practice. It won't actually be used by any developers using druid as a dependency. Its primary use right now is to force the CI (and people working on druid) to use a specific set of dependency versions. Versions that no developer using druid will use. I go more deeply into this in the docs I wrote.I also updated dependencies in preparation for druid 0.6.0.
PS. Although I don't mention this in the docs, I do have a real world example in the form of
proc-macro-hackwhich was broken, stopped compiling on nightly, and was fixed with a patch release. A bunch of packages liketime-rsstill claim to work with the older broken version, which I think is a mistake. That cascaded as breaking our builds on nightly too.