On 17 Nov 2021, at 11:08, Stelian Ionescu wrote:
- I *desperately* want to add version upper bounds. There is a real problem of having someone change a library under one's system, and *pace* Faré, sometimes one does not have the resources to handle updates to every library in one's build chain.
It's part of the social contract of open source that you get things for free but you need to stay up-to-date with your dependencies.
That simply does not work for everyone, *definitely* including me. My company can't afford to pay me to keep every piece of software lying around updated with all of its dependencies. When a contract is done, I often can no longer maintain related software. Similarly, I use a lot of software written at universities as part of some research project that will eventually end. Other examples abound. There's a *lot* of software out there that could be useful, but that is not useful enough to the original author that they are going to maintain it *ad infinitum*.
In such cases it's better that if we pull this stuff out of mothballs: (1) we don't have to flail around trying to guess why it doesn't work any more and (2) we can find an old working configuration.
To guarantee an old working configuration you can simply point to the version of the Quicklisp distribution that it was last tested with. We should make it easy to specify that as metadata, and it would be much more useful than version constraints because ASDF is not blocking compilation (after all, even old software might very well work with newer version of the dependencies).
In the best of all possible worlds, everything would always be up-to-date, but that is not the world we live in -- or at least not the one that I live in.
- I am not that worried that we will end up in the kind of mess that concerns you: right now there are an enormous number of Lisp libraries that don't even have version metadata *at all* . So if people want to use expressive versioning in a sub-region of the lisp development ecosystem, that is unlikely to cause the problems you see, and might help *some* of us manage our dependencies.
I am worried because once you make something easy, people will be tempted to use that feature. Authors aren't currently adding metadata because it's purely decorative and there's no real gain in maintaining that.
On the contrary, *minimum* version constraints already exist. So it's not true that metadata is purely decorative. It's because people are slobs, or are not aware that the metadata are available.
--
The argument here is the same argument as Faré has made: all software should always be maintained and kept-up-to-date. But Faré is a programming superhero. I'm a mere mortal, but I *am* the ASDF maintainer, and at the end of the day, I have decided that version constraints like `(:version "my-unstable-library" < 3)` or something like that *will* go in to ASDF.
The worst that will happen is that someone will put in an overly-restrictive version constraint. Given the state of the CL software ecosystem vs., e.g., Python, I think it's quite unlikely that there will be a lot of overly-tight restrictions out there. And the ability to have upper bounds meets an actual need that is under-served.
-- Stelian Ionescu