Proposal: Changes to the PVP

Johan Tibell johan.tibell at gmail.com
Wed Apr 9 11:40:24 UTC 2014 

On Wed, Apr 9, 2014 at 12:23 PM, Michael Snoyman <michael at snoyman.com>wrote:

> Nonetheless, there is definitely confusion. The easiest way to see that is
> to look at the Reddit discussion of the blog post[1]. For example:
>
> > Which implicitly includes supporting reproducible builds for
> "non-published software"
>
> There are other examples in that discussion, as well as in the libraries at discussion.
>

I think people were confused by your use of the word "reproducible", some
take it to mean "if this package built before it will still build" (the PVP
aims at this) and others to mean "build exactly the same bits as before".
The PVP and people's interpretation of it doesn't seem to be confused, as
seen by reading the rest of the comment you quoted. Put in other words, I
don't think anyone believes the PVP is about freezing dependencies, as it's
about the very opposite of that, namely allowing ranges of versions.


> My proposed addition to the PVP itself would be the text:
>
> While PVP compliance makes getting a successful build more likely, it does
> not try to encourage reproducible builds: builds which use exactly the same
> dependencies as previous builds. In particular: minor version bumps and
> changes in transitive dependencies can easily slip in. Reproducible builds
> are highly recommended for building production executables, and for that,
> dependency freezing is the only known solution (to be included in
> cabal-install after version X).
>

If we add it it should be as a footnote at the bottom. Bringing up this
totally orthogonal issue is likely to confuse people more, not less.

Saying that the PVP makes builds more "likely" is understating the
guarantee given quite a bit. With the exception of the issue with module
and instance re-exports that has been discussed elsewhere and is mentioned
on the PVP page, the PVP *guarantees* that things will build, if they built
before.


>  ** Although Cabal's dependency solver doesn't give the best messages
>> today either. But at least it could be improved.
>>
>
>>  (3) This is already the case. We just don't encourage authors to do it
>> (as maintaining version information in documentation rather than
>> machine-checkable contracts tends to be hard to maintain.)
>>
>>
>>
> Yet in this same thread Erik said:
>
> > This sounds too vague to be an actual policy, so -1.
>
> So it seems like the intention of the PVP itself is unclear at this point.
>

Quite intentionally so. We definitely not *want* to encourage people to add
extra, non-checkable, ad-hoc policies on top of the PVP, we merely allow
for them to do so. I noted that even though it's allowed not a single
package I've seen does provide extra guarantees.

-- Johan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/libraries/attachments/20140409/ddef8150/attachment-0001.html>

More information about the Libraries mailing list