On 2014-02-26 at 06:45:30 +0100, Michael Snoyman wrote:
On Wed, Feb 26, 2014 at 12:52 AM, Herbert Valerio Riedel wrote:
On 2014-02-25 at 21:38:38 +0100, Michael Snoyman wrote:
[...]
* The PVP itself does *not* guarantee reliable builds in all cases. If a transitive dependency introduces new exports, or provides new typeclass instances, a fully PVP-compliant stack can be broken. (If anyone doubts this claim, let me know, I can spell out the details. This has come up in practice.)
...are you simply referring to the fact that in order to guarantee PVP-semantics of a package version, one has to take care to restrict the version bounds of that package's build-deps in such a way, that any API entities leaking from its (direct) build-deps (e.g. typeclass instances or other re-exported entities) are not a function of the "internal" degree of freedoms the build-dep version-ranges provide? Or is there more to it?
That's essentially it. I'll give one of the examples I ran into. (Names omitted on purpose, if the involved party wants to identify himself, please do so, I just didn't feel comfortable doing so without your permission.) Version 0.2 of monad-logger included MonadLogger instances for IO and other base monads. For various reasons, these were removed, and the version bumped to 0.3. This is in full compliance with the PVP.
persistent depends on monad-logger. It can work with either version 0.2 or 0.3 of monad-logger, and the cabal file allows this via `monad-logger >= 0.2 && < 0.4` (or something like that). Again, full PVP compliance.
A user wrote code against persistent when monad-logger version 0.2 was available. He used a function that looked like:
runDatabase :: MonadLogger m => Persistent a -> m a
(highly simplified). In his application, he used this in the IO monad. He depended on persistent with proper lower and upper bounds. Once again, full PVP compliance.
Once I released version 0.3 of monad-logger, his next build automatically upgraded him to monad-logger 0.3, and suddenly his code broke, because there's no MonadLogger instance for IO.
Now *if* the program had been using a system like "cabal freeze" or the like, this could have never happened: cabal wouldn't be trying to automatically upgrade to monad-logger 0.3.
Will this kind of bug happen all the time? No, I doubt it. But if the point of the PVP is to guarantee that builds will work (ignoring runtime concerns), and the PVP clearly fails at that job as well, we really need to reassess putting ourselves through this pain and suffering.
From my point of view, I'd argue that
a) 'persistent' failed to live up to the "spirit" of the PVP contract, i.e. to expose a "contact-surface" which satisfies certain invariants within specific package-version ranges. b) However, the PVP can be blamed as well, as in its current form it doesn't explicitly address the issue of API-leakage from transitive build-dependencies. [1] The question for me now is whether the PVP is fixable in this respect, and at what cost. Moreover, it seems to me, it always comes down to type-class instances causing most problems with the PVP (either by requiring version-bump cascades throughout the PVP-adhering domain of Hackage, or by their hard hard to constraint leakage through package module/boundaries); maybe we need address this issue at the language-level and provide some facility for limiting the propagation of type-class instances first. [1]: An alternative to what I'm suggesting in 'a)' (i.e. that it'd be `persistent`'s obligation), could be that the package you mentioned (which broke due to monad-logger having a non-monotonic API change), might become required to include packages supplying the instances they depends upon in their build-depends, thus turning an transitive dep into a direct dependency. Cheers, hvr