| ▲ | matklad 4 days ago | |
This scheme _can_ be made to work in the context of Cargo. You can have all of: * Absence of lockfiles * Absence of the central registry * Cryptographically checksummed dependency trees * Semver-style unification of compatible dependencies * Ability for the root package to override transitive dependencies At the cost of * minver-ish resolution semantics * deeper critical path in terms of HTTP requests for resolving dependencies The trick is that, rather than using crates.io as the universe of package versions to resolve against, you look only at the subset of package versions reachable from the root package. See https://matklad.github.io/2024/12/24/minimal-version-selecti... | ||
| ▲ | epage 3 days ago | parent | next [-] | |
Note that the original article came across as there being no package unification. A later update said that versions would be selected "closest to the root". I was speaking to that version of the article. There was no way to override transitive dependencies and no unification. When those are in the picture, the situation changes. However, that also undermines an argument of the article against SemVer > But... why would libpupa’s author write a version range that includes versions that don’t exist yet? How could they know that liblupa 0.7.9, whenever it will be released, will continue to work with libpupa? Surely they can’t see the future? Semantic versioning is a hint, but it has never been a guarantee. | ||
| ▲ | IshKebab 3 days ago | parent | prev [-] | |
Is that what Go does? I always thought their module versioning system sounded well thought out (though I gave up on Go before they introduced it so I have no idea how well it works in practice). | ||