-
-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Locking triomphe
is the wrong approach to preserving MSRV
#440
Comments
Thank you for your comment. We know it is not an ideal approach to lock dependency in older versions , but we had no other options.
Locking dependency in older versions may become a problem in the future, but no downstream user has reported yet. Meanwhile, some downstream users already reported problems with a newer version of the same dependency. Anyway. To prevent the potential future problem, I will remove |
Is there any reason why those downstream users can't pin It also seems like this approach of making users pin crate versions themselves isn't foreign to |
No. Anybody can pin
The main purpose to pin Our policy ensures As for |
As I said before, I agree with you that locking
Now it is August 2024 and Rust 1.76.0 is 6 months old. We now have following options:
I will take 2. because After writing my first comment on July 13th, 2024, I did some experiments to take necessary |
Ah, don't worry. I didn't mean to annoy you, but if you need help with integrating the vendored code, I'd be happy to help out. |
I don't think vendoring is the correct decision in any situation. How about talking to upstream about lowering their MSRV and committing your cleanups upstream? |
Seems like their MSRV bump was to make the behaviour more consistent/correct. I'm pretty sure they wouldn't reintroduce those kinds of things (which is a, quote, "longrunning potential soundness issue that got fixed with a new API") "just" to support an around half a year old compiler version. Issue commenting about this: Manishearth/triomphe#93 (comment) |
Okay, so even if this library vendored triomphe with a lower MSRV there would be soundness problems. I personally don't see any issue with the current situation of MSRV 1.76 and using upstream triomphe. |
Thanks for sharing your concerns. When we locked the
Now I do not have time right now, but I am still hoping I will have some time to work on it in coming weekend. So please let me try it. |
Rust will dead code eliminate any features not used, and forking will just mean you no longer get any fixes and maintenance... alongside leading to duplicate code being compiled if someone does bring triomphe in to their dependency tree somehow. This just seems like a very bad idea all around to me. |
The recent release locked the
triomphe
crate version to>=0.1.3, <0.1.12
which kinda works(?) but isn't a good solution.IMO it's fine if, by default, the MSRV breaks if there is a simple way of getting the MSRV to compile (in this case, by adding
=0.1.11
to the manifest of projects that absolutely need the old Rust version).There have been prior examples where a version lock like this has broken compilation for many downstream users, such as with the
*-dalek
crates, wherezeroize
used to be locked (1, 2, 3, 4).MSRV should, in my opinion at least, not block new versions if there is a simple fix to getting that Rust version running.
The text was updated successfully, but these errors were encountered: