-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSRV bump 1.67 in v2.5.1 #937
Comments
Not going to express a strong opinion on whether rust-url should have updated MSRV, in general for crates near the bottom of lots of deptrees I prefer extreme conservatism for MSRV but it really depends on the project. In general I do disagree with "changing MSRV is breaking. Fixing it is a ....However it definitely is nice to avoid the situation where possible and provide mitigations if necessary. Would be nice to explore options. |
Sadly, this is only available for relatively new cargos, making it useless for fixing MSRV breaks for those supporting conservative MSRVs :(. Another year or two and it'll become useful. |
FWIW I have held the position "changing MSRV is breaking unless explicitly a part of the contract" for long before that feature existed:
but still, I'd say we should attempt some mitigation here. |
@Manishearth how would such a mitigation work? I don't think we can put the idna changes behind a feature flag. |
The Cargo semver guidelines recommend treating MSRV as a minor incompatibility, and not a major incompatibility. This could mean bumping minor but we should also keep in mind that, for semver and Cargo, there is almost no distinction between minor and patch. The main reason to bump minor instead of patch is to give flexibility to backport fixes to the pre-MSRV bump version. Also, the MSRV-aware resolver is not stable yet. It is available on nightly. Whether stable or nightly, using it does not require an MSRV bump. I have been using it myself to help manage my MSRV (like when I dropped the MSRV of my packages back to 1.65). MSRV testing in CI is aided by checking in your lockfile. |
imo MSRV should be requirements driven. I have not heard of a requirement older than Debian stable which is 1.63. Even that requirement is a bit dubious as we generally view the Debian toolchain as intended for building Debian packages and not intended for end users. 1.67 is over 10 versions behind and is a year and a half old.
Is the bump purely from dependencies? Can you drop the version requirements on the icu4x dependencies? For example, dropping to |
Could you clarify who is 'we' and and how you come to that conclusion? Supporting Debian stable seems like a hard requirement for quite a few users, and given that it's not even two years old rustc 1.63 seems like a reasonable MSRV target that (in my experience) a large part of the Rust ecosystem seem to be able to get behind. |
This seems like a weird conclusion. Until Fedora 34, the Debian toolchain was the only way to accomplish cross-language LTO without building both clang/LLVM and rustc from source. Thus, its in fact the only option for a toolchain that can be used in some build systems. For projects building multi-language systems which want X-lang LTO and want people to be able to build the software themselves, not supporting Debian's stable toolchain is not an option. |
I believe Ed is talking for the Cargo team here? (That's what I read those comments as)
I do not think the comment was suggesting that Debian stable should not be supported, it was saying that it's unclear if crates need to strictly follow such an MSRV to support the needs of Debian stable. (Debian does not need to pull in the latest version of this crate, and other mitigations are also possible).
I was hoping there was a way to keep the old code around as fallback. But there may be other ways. Switching from patch to minor release would not really change the effects this has on users but it would be slightly clearer at least. |
Yes, I was speaking to a general feel I've gotten from Cargo team discussions. And it was not to be prescriptive (ie not "you shouldn't) but to provide insight when people determine what requirements drive their MSRV policy (ie "should you?"). |
Sounds like this was a fairly invasive change so my idea might not work. What I've been experimenting with recently is to delegate the MSRV-dependent code to a dependency. You have two versions, one for the old MSRV and one for the new. They should have compatible APIs and I number the versions for what their MSRV is. The main drawback is that you can't declare through version requirements that you need new versions of each minor release so the API should likely be frozen. example: https://crates.io/crates/is_terminal_polyfill/versions |
Fair enough.
This assumption only holds if all the crate maintainers commit to providing backported (security) fixes for these 'non-latest versions', as otherwise users might get stuck on broken/potentially vulnerable versions. Also given that the MSRV breakage happened in a patch release, there is essentially no option left anyways to provide such backported patches. |
This is a problem for me too. I would have liked to see an MSRV break get a minor version bump. |
This is a good signal, if this would help people we should do it. Major bump is definitely a bigger endeavor and I'm worried about going that far, but minor bump is something we can definitely do. |
Debian package maintainers also regularly backport patches themselves, this is not a hard requirement either IMO. I think Ed is correct in saying that the choices here do not necessarily imply "not supporting" Debian, which is already a manually-maintained not-end-user situation. This does not mean that we shouldn't try to still do things that make things nicer there, but these things aren't blockers for rust-url being used in Debian. |
I don't believe anyone here is lacking the ability to build some Debian rust-url package (if such a package exists). That is distinct from the use-case of seeking to build other software using |
So:
Given this, what should be the path forward for the url/idna crates post-#923? Maybe it would be better for Mozilla to fork the idna crate? Maybe the ICU4X project can work on decreasing their MSRV/improving compile times? |
As far as I can tell the majority of the compile time hit is in ICU4X is a lot of crates but they're small, it's trying to be modular. |
I think I'll backout the IDNA changes, release url 2.5.2 with that, and wait for @hsivonen to have a look at the idna issues - unless someone has a better suggestion. |
* Revert "Reimplement idna on top of ICU4X (#923)" This reverts commit 3d6dbbb. See #937 for reasons behind this backout. * Bump url version to 2.5.2 * Pin unicode-width to 0.1.12 to avoid build failure in rust 1.56 * Remove ambiguous_wide_pointer_comparisons to maybe resolve clippy error * fix clippy
I think this characterization makes it look like
If someone is using a very old compiler (for whatever reason), it should be up to them to run the appropriate
The most significant contributor to this concern is
This isn't fundamentally a consequence of depending on ICU4X, so I think it makes sense to discuss this as a separate concern in the issue that you've filed.
I have previously gone the route of introducing another Firefox-motivated crate for a topic that already had a pre-existing crate and I got complaints about hurting the ecosystem (though eventually the ecosystem migrated to the crate I wrote). Whichever way someone thinks it's the wrong way.
AFAICT, the key grievances here are:
These are both general Rust ecosystem issues:
The second point may look glib, but proc macros are a part of the Rust ecosystem and for better or worse, the way doing proc macros works in practice involves depending on Looking at the As for MSRV, I think it's unhealthy for the ecosystem to expect crate authors (ICU4X developers or others) to refrain from making use of new language or standard library facilities on Debian timelines. I think it should be up to folks who choose to use a very old compiler to do the work of getting the crates that they pull from crates.io to compile, possibly by doing the work of figuring out which older version of a given crates compiles given the compiler vintage. (Aside about how old Debian is: The safety-critical embedded industries have a reputation of moving slowly, but not only is the latest TÜV-certified Rust toolchain new enough to deal with an MSRV of 1.67, but the previous one is new enough, too.) As a matter of the health of the Rust ecosystem, it would be much better to ship clang as a rustup component than to have the crate ecosystem cater to Debian-shipped compilers. But that's out of scope for Quoting from the OP:
I think it's not at all a given that if there was a Cargo feature (either in The issue here focuses on changes to compile-time attributes of The
An issue like this selects for hearing from folks who are unhappy with the update, but chances are that for users who make at least some effort to go along with the "stability without stagnation" Rust update cycle, the MSRV of 1.67 is a non-issue and faster, smaller, and more correct is preferable over Debian-accommodating MSRV. For folks whose project already depends on one of the many crates that transitively depend on But back to the Cargo feature and not its default: It would be bad for non-top-level crates to set the cargo feature, since opting for old compiler rather than output speed, size, and correctness isn't something that an intermediate dependency should choose. Right now, a Cargo feature on If the request is to be able to continue to get improvents to |
@hsivonen I've replied to the claim that tl;dr |
Thanks for the quick response to address/revert the MSRV bump addressed in 2.5.2 / #946 ! Also great to see the discussion on #5124, will be following. I'll close this as the concrete MSRV issue has been resolved for now. Thank you! |
I'd appreciate it if folks for whom the MSRV bump was a problem could comment on #939 (comment) whether the approach described there (opting into a unicode-rs back end by downgrading an adapter crate with no other intended dependents than |
The most recent patch release v2.5.1 bumped the MSRV from 1.56 to 1.67. Unfortunately, this violates a whole chain of downstream projects with a lower MSRV, e.g.,
reqwest
(cc @seanmonstar) and dependents.Especially since this happened in a patch release, CIs are now failing everywhere down the chain and projects that can't or are not willing to bump their MSRV are now forced to find some kind of workaround.
It would therefore be great if you could reconsider that bump and, e.g., would consider introducing the corresponding changes (I believe in #923) behind a feature (preferably defaulting to off) so that any downstream projects can actually choose whether they are willing or able to support 1.67 as their MSRV.
The text was updated successfully, but these errors were encountered: