Hacker News new | past | comments | ask | show | jobs | submit login

Forget the complexity, just use integer version numbers.



That works perfectly well with semver, e.g. Cargo interprets `foo = "42"` as implying a constraint of ^42.0.0 (https://doc.rust-lang.org/cargo/reference/specifying-depende...)

In the meantime, semver is good because it gives us a small number of additional semantics to impose on version numbers if we wish. Semver is not a solution to versioning, it's just a foundation to build better automatic versioning tools atop of, such as the tool linked here.


Seriously. Machine-readable semver is a pipe dream. You're relying on everyone else getting it right every single time. At best it's an indication of a maintainer's intention. But it's not a substitute for QA; if your dependencies change, you need to test your software no matter what. So what does semver actually do? Using it as a guideline for setting your own version numbers to communicate to humans is one thing. Treating it as a machine-readable indicator with absolute certainty is taking it too far.


So every change is a breaking change? Not sure that helps anybody


It definitely does not.

v43 to v44: fixed "teh" in a comment

v44 to v45: restructured the whole thing, steps for users to migrate are expected to be in the man-months for most projects

Semver is a human convention that can also frequently help machines. It'd be nice if it were a machine system that also helped humans, but very very few compatibility systems achieve that.

There are no other options currently to achieve this, and it works pretty well in practice. Use semver, don't make everyone else pay for your willful ignorance.


And now you need to update from version 42 to 67 after not paying attention for 4 months because there's an emergency bugfix or crucial feature that you can't backport trivially.

Have fun.


They do have a backport for version 56, but it's in a branch named v62-backport-v56-githubusername-2023-asdf-try-2 and you have no way to discover that.

Instead of choosing v56.1, because that would be semver.


That backport seems to use a nonpublished patched fork of a library that got replaced in between though, so no bueno there.


I agree. Semver isn’t perfect, but it gives you a general idea of how hard an upgrade might be. That’s even more true with the most popular of libraries.

For example, Rails and React are the two most important dependencies in our system. They are extremely good about semver with major versions including highly detailed patch notes.


But isn’t the point of this post to suggest that even if SemVer suggests a release isn’t breaking, they still are in practice? Such that, coding defensively, you have to assess whether a new version of a tool breaks regardless of SemVer or not. In which case, why bother with SemVer in the first place?


As a co-author of the post, I wouldn't agree with that summary.

If semver suggests a release isn't breaking, in Rust it overwhelmingly isn't breaking. Around 3% of the time, assuming you use every obscure bit of public API in the library, you might get broken by a release when you shouldn't be. In practice, that percentage is way lower than that: nobody uses the entire public API of anything, or comes anywhere close. That's why the post says these semver violations were unknown, even though most of them were multiple years old. If something breaks, and you weren't using it anyway, you were not broken.

The post is emphatically in favor of semver as used by Rust, because it has clear benefits and works great the vast majority of the time. The part that we want to make better is to lower the odds even further that an accidental breaking change breaks a bunch of people's code and ruins their day.

No single technique can do that: not testing, not fuzzing, not cargo-semver-checks. But a sound combination of techniques can drive the odds to damn near zero for all practical purposes.


I'd be curious about these metrics for a more widely used language. Admittedly I'm not discussing SemVer _in Rust_, as much as just SemVer, which is in my direct experience just kind of a mess. Adherence is as good or bad as any library's tooling or developers want it to be.


I'm curious too! And I also agree that semver in _most_ languages is a mess.

I'm sure someone could build a semver-checker for Python or JS or Java or whatever, and I'd even be willing to help them and walk them through how cargo-semver-checks works. But in Rust, a big driver of adoption is that Rust and cargo are opinionated about things, so people adopt cargo-semver-checks not necessarily out of love for semver but out of a desire to not wake up to 100 people being upset in their GitHub issues about broken builds. The adoption situation might be harder for other languages with less opinionated versioning stories.


How does not hinting your tools the rest of the time improve things?

Rust compatibility (thus versioning) is fairly fragile due to its relatively powerful type system, and yet:

>Around 1 in 31 releases had at least one semver violation

Abandoning semver means making it worse 30 out of 31 times for a fragile language, or likely more (because you do not always use the thing that technically broke, or in a way that notices the break). Other languages generally have even stronger arguments in favor of semver.

It's not a "both sides" thing, semver wins by an absolute knockout in every conceivable way, and especially in practical day-to-day ways. Anyone opposed to it does not know what they're talking about, or they're simply trolling, and it shows. There could definitely be better systems, but "just don't use semver lol" is not one of them.


> How does not hinting your tools the rest of the time improve things?

If the hints are sometimes incorrect, should we trust them? Isn't it the same release-verification legwork either way? If so, what's the point of the hint?

> Rust compatibility (thus versioning) is fairly fragile due to its relatively powerful type system, and yet:

Yes, I'm speaking about SemVer, which was neither invented by nor solely implemented in Rust. I understand that this blog post is about SemVer in Rust.

> Abandoning semver means making it worse 30 out of 31 times for a fragile language, or likely more (because you do not always use the thing that technically broke). Other languages generally have even stronger arguments in favor of semver.

I read this as: tooling is required to verify a release does or does not break a contract defined by a library, regardless of versioning strategy. It's not like we're talking about 1 in a million here.

> Anyone opposed to it does not know what they're talking about, or they're simply trolling, and it shows.

Ahh yes. "I'm right and if you disagree you're wrong". The ultimate debate tactic. I'll skip the rest of this thread. Enjoy the day!


> Isn't it the same release-verification legwork either way?

No, as it turns out it very much is not even close to the same amount of legwork.

> I read this as

I don't think your attempt at a re-statement is accurate to the source. Also, "regardless of versioning strategy" is simply not an option in Rust, since the entire ecosystem is opinionated about how versions should work and overall everything works very well.

This post is about taking something that is already very rare (though painful when it does happen!) and making it even more rare. It shows a concrete way to do so, and also shows that so far we've been "getting lucky" by experiencing breakage less often than we might have been, given the same code changes.

In other words: `cargo update` today has a tiny chance of breaking your Rust project. But if everyone used `cargo-semver-checks` every time, as demonstrated by what the blog post's analysis caught, we'd reduce the number of accidentally-breaking releases by *3% of all releases*. That is an astoundingly high reduction, so coupled with good testing practices and other static checks (type system, borrow checker, etc.) it means that `cargo update` will be even more astonishingly unlikely to break your project.


Semver is a pragmatism, human-and-tooling thing.

It works the vast majority of the time. Many, many studies across many languages repeatedly show it. There are flaws, but there are extremely clear benefits - most updates just work, automatically. It works so well most people don't even realize how much they're being protected from.

So what are you gaining by abandoning it? You're losing a lot, if you're not gaining a lot in return then there's no reason to choose it.

---

>Ahh yes. "I'm right and if you disagree you're wrong". The ultimate debate tactic.

I agree in principle, but it is also simply true in some cases. It's like arguing against vaccines or range checks on arrays - there's a massive load of trolling or willful ignorance in semver debates. There can definitely be better systems, but none are used widely enough to be noteworthy to most, and most presented alternatives are laughably bad to anyone who has done anything but throw nonsense at the internet's wall and see what sticks. Some things are just not that complex, and armchair bullshitters can be spotted miles away.


So PostgreSQL has a vuln and they patch it, and now in order to get the fix, you have to upgrade to the very latest version?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: