-
Notifications
You must be signed in to change notification settings - Fork 476
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto block registration of packages pre-1.0 #111019
Comments
I don't think it would be a good hard rule to have, but I think it would be a good guideline/soft check. I have one or two packages that are In most cases though, I think it's very useful to have the three channels of information in the version number:
So perhaps a way this could be done is as an automerge check, allowing for manual intervention if the registrant insists that they've thought about it and really do want 0.x? |
I agree. |
I'm not sure if following SemVer prescription would be beneficial in this case. I think this would encourage people to release a 1.0 version when the API is not ready. Considering the amount of packages which are still in <1.0 stage in the Julia ecosystem, it seems that many mantainers feel like their packages are still not ready for a 1.0 release, which is more a lack of time maybe than anything else. This seems to me an artificial solution to a different underling problem. |
I would argue its actually the opposite. |
To me the motivating issue here is that we have a bunch of This results in needless comparability bound churn across the ecosystem. This is the problem that I see this proposal helping with. I don't quite understand this view that occasionally seems to pop up that |
if that is the ratio of the proposal @tecosaur I'm more convinced now that it's probably a good idea actually, I didn't consider the problem of having breaking releases for new features. And also the reasoning of @oxinabox seems right, but maybe it's more debatable why mantainers didn't release a 1.0 for years. But that is not the point maybe. So for what is worth I would reconsider my position :-) But it doesn't seem a good hard rule also to me anyway. |
This is a misreading of SemVer. Pre-1.0, there is no such thing as a "breaking release". Pre-1.0 packages do not have a stable API, so by definition, they can't break that API. Quoting from the SemVer specification: "Major version zero (0.y.z) is for initial development. Anything MAY change at any time." It is not a violation of SemVer to add features (or even make breaking changes) in a pre-1.0 "bugfix" release. This is actually something that, arguably,
That's also a misreading of SemVer. Breaking releases must change the major version number, but major version number changes do not need to contain breaking changes. They generally should, of course, but the change from 0.x to 1.0 especially is not a breaking change according to SemVer, because 0.x wasn't stable in the first place! |
This is not to say that there aren't plenty of 0.x packages that should be 1.0. It's also not to say that pre-1.0, there isn't some less formal notion of "breaking" vs "non-breaking". I certainly use 0.y.0 releases to indicate bigger changes that are likely to "break" other packages and I would also claim that pre-1.0 is an important part of a package's development cycle. If the developers feel that they're still "figuring out" the API, it shouldn't be 1.0. A lot of projects in Julia are related to academic research, and in such a situation, "active research" should indicate pre-1.0. If you're eventually going to publish a paper of a package, the publication of that paper seems like a good time to make a 1.0 release. I pretty strongly believe that most packages should use 0.1.0 for registration, not |
If the problem to do with pre-1.0 packages that cause everyone to have to update compat bounds when they release new backwards-compatible features, maybe that is where the focus should be placed.
There's an argument to be made that the approach is "too late", but on the other hand, adding extra steps for package registration could put people off registering packages, or make them delay, which could also have bad outcomes. |
The tips in the SemVer document certainly aren't wrong: If a package has a lot of dependents and thus should be worried about backward compatibility (whether the authors feel that the API is perfect or not), that package should probably make a 1.0 release. That does not mean we should be pushing people to make 1.0 releases prematurely, or impose version restrictions on registration. And I'll say it again: switching from |
Right now I have a package that depends on six If they remained unregistered I would have to deal with unregistered dependencies, which is a pain in the ass, and wouldn't be able to register my own package. |
How unhelpful is it really if you are already using them as a dependency in another package...? They clearly have an API, otherwise how would you be using them? I'd rather say it would be helpful instead if they were at 1.0. This gives the package authors the nudge they need to be thinking about their users. If you care about having users, you should also care about compatibility and breaking changes and SemVer is a great system for that, with the added advantage of being ultra-widely adopted. If you don't care about having users, well, why are you registering? Overall I give a +1 to the idea of disabling the automerge for new packages that are < 1.0, and in general as a community showing that we value SemVer and hence would prefer registered packages to have an API that at least the authors themselves consider solid to be 1.0. I've expressed in many other situations that registering a package in the general registry is way too easy and having checks that disable the auto merge can be of benefit to the community. Some packages I've registered would not pass the bar of this rule, and that's fine. I would have to wait more before registering. Not really a big deal... In the next version of Pkg.jl we will be able to add packages to our projects without them being registered, and still specify reproducibility by specifying the exact commit. Hence, even less the reason to register everything as soon as possible. For a counterexample that also gives a +1 to the automerge block suggestion: two packages I am involved with Agents.jl is at v6, and DynamicalSystems.jl at v3. Its not like you can't release a breaking release post 1.0 if you have good reasons to. If anything, it makes you more concious about breaking changes. |
@frankier and @goerz I agree with your comments; they are excellent: motivating a 1.0 for large packages that have been stable for a long time is a good idea. But I don't find it related with this issue which is about new registered packages. Additionally, I have done this several times so far and I have been faced either with no response, or no real arguments, sometimes the authors saying they don't themselves know what breaking changes they would like to do (proving the point entirely that they should release 1, but oh well...). So that's why I think your suggestions should be a separate discussion alltogether. |
I also think it's worth highlighting that this proposal is to for automerge, not a hard rule. I still think there's the occasional well-justified 0.x package. Drawing from my own experience, I'd point to Like @Datseris, I think in general this would be a valuable nudge to authors to think about the API they're delivering, and the state of their package a bit more. It's also not like we can't reverse this rule if it turns out not to be such a good idea in practice 🙂 |
It's a matter of communication. They do have an API, but it changes frequently, and the packages are incomplete. That's what I expect from |
I feel very strongly that, if anything, we should go the other way: New packages should automerge only if the initial package version is I think we actually used to have an initial version Again, that is not to say that we shouldn't push for packages that have a lot of dependents to actually commit to their API and tag |
I'd argue this is due to the shockingly low threshold for registration. Indeed, everytime I check out the slack channel of new registrations I am like "but why" for half of them. If there are no quality criteria to register then of course that's what you would see. So the point would be to make it harder, not easier, for packages to autoregister.
I am confused by this statement. I think you have a different idea of what "1.0" means that I do. If you don't know if 1.0 is appropriate then 1.0 is appropriate. Because if you don't know it means you have no planned breaking changes. Otherwise you would know. And to my understanding, the smaller the package the easier it is to release 1.0 because you simply have much less possibilities to make a breaking change. If you have a package with 1,000s of exported functions, any breaking change in any of them would technically justify a major version increment. So it's harder to go 1.0 for larger projects than smaller to the best of my understanding of what "1.0" conveys. |
I think this gets to the crux of the issue. Why should it be harder? Why should there be a higher threshold? Remember, having to be registered is transitive, so it means when I have a registered package, all the dependencies have to be registered too. Early version registered code could be rough code extracted from a mature package. I don't see a good reason apart from a misplaced need to control or a notion that package registration should act as some kind of stamp of approval. In effect, it acts to make people's life harder by adding busywork, and slows down code reuse. |
There are two response I have to this, and I feel a need to explicitly state this because they are rather separate issues that I think are in danger of being conflated. Firstly, I don't see how setting version to There is value in having three channels of information in semver separately to the difficulty of registering, as has been articulated in earlier comments. To me, the crux of the issue is whether we want to push packages to have three channels of semver (breaking, feature, buxfix) or just two (breaking, bugfix). Second, and separately, I think there should be a higher bar for the registry. In my mind, registering packages should be more than just bundling some related code and throwing it out into the world.* In my mind, a good registry is defined by having a broad collection of high-quality packages. What exactly are "high-quality" packages? That's a complex question, but I think we can assert some general requirements:
Does every high-quality package meet all of those requirements? No, there's always nuance and exceptions. However, I think it's worth encouraging actual packages to aspire to meet as many of these as possible, as early as possible. * In 1.11+, we have project I'd like to re-emphasise that I only see a small overlap between these points (we've veering into a much broader discussion). I'd advocate for considering whether we want to set a soft requirement for 1.0 on the semver merits specifically, and hold a conversation about package quality and the bar for registration in another issue (or elsewhere). TLDR; It's a low bar and not even about the bar for entry, but I think we should have a higher bar anyway. |
Interestinlgy, this semester I just started my first course as lecturer, which of course I would do with Julia. It was a big problem that Julia does not have any sorts of stamps of approval, like MATLAB's centralized toolbox or Python's Anaconda. They are installable instantly across my whole campus without anyone asking any questions. With Julia? Your whole package installation must get erased as soon as you log out because there is no "stamp of approval" that my IT will accept. Needless to say this is a bad experience, so maybe these stamps of approval aren't as useless as you suggest. As long as there is no community request for stamps of approval, we will never have one. And I see the suggestion of this issue as a good step forwards. @tecosaur put the situation perfectly in their reply so I don't have much to add besides requesting some sort of argument of how the suggestion here is making life so much harder. Is because you would have to change |
Pre-1.0 and post-1.0 represent different stages of development. Pre-1.0, backwards compatibility is not a concern. You would accept PRs if they improve the API of the package in the absolute. Post-1.0, backwards compatibility is a concern. So it would be common to reject PRs or close issues because their benefit does not outweigh the cost of a breaking change. Of course, people can disagree with how strongly they value API stability. I'm in the more conservative camp, where you would avoid breaking changes unless there is a very compelling reason for the new functionality and there is no way to implement it in a backwards-compatible way. That might mean delaying features for a future "2.0 milestone". If you value stability less, you might end up going from 1.0 to 8.0 in the span of a year. Fine by SemVer, but I might decide your package is more trouble than it's worth to use as a dependency. In any case, backwards compatibility should be part of the conversation post-1.0. Conversely, if you're pre-1.0, but you are worrying about backwards compatibility (because you have many dependents), then you really should tag 1.0. That's what the guidelines in the SemVer spec are about. So the question isn't whether you have any breaking changes planned. The question is at what level you're going to evaluate issues and PRs. I would say that when you first open up a package to public use, you should be permissive in how you deal with new PRs. But of course, it's up to you. Beyond that, my issue with pushing for 1.0 on new registrations is that it comes with additional requirements. For
With 1.0, in addition to that,
If we push for packages to register at 1.0, we should also have tooling in place to check these conditions, which is pretty hard. If people just use 1.0 as an initial version to get around the bot, but without actually being ready for 1.0, I think we're doing a disservice to the community and to the spirit of SemVer. Also, it denies people the pre-1.0 development stage, which, again, I think is an important part of a project's life cycle. Of course, I'm very happy if people register packages that are mature enough for 1.0. I just wouldn't expect it from the majority of registrations. And I'll certainly review packages that register with an initial version |
From SemVer 2.0
I am going to argue that this is normally actually the case when you register in general.
If you don't intend for people to use it you shouldn't be registering it.
Perhaps by exception people are registering with intent to iterate rapidly in a breaking way.
But it is exceptional and we can always use the functionality to bypass that rule.
It's problematic we people register pre-1.0
Because
I propose we only enforce this on new package registration. And allow old packages to be grandfathered.
We have talked about this on and off for years
The text was updated successfully, but these errors were encountered: