Hacker News new | ask | show | jobs
by munificent 3036 days ago
What happens if:

1. I depend on foo with constraint ">1.5.0". The current minimum version of foo that meets that is 1.7.0.

2. Later, foo 1.6.0 is published.

3. I run go get.

If I understand the proposal correctly, that go get will now spontaneously downgrade me to foo 1.6.0. That defies the claim that builds are always reproducible.
1 comments
Groxx 3036 days ago
So, I think you're right... but this is only a flaw if you as a user specify a lower bound that does not exist. The tool won't do this. And it can be prevented by disallowing referring to versions that don't exist.

It's entirely valid (and interesting! I hadn't thought of this one), but I'm not sure if this would happen even once IRL, except for people trying to break the system. Which can be fun, but isn't a risk.

link
munificent 3035 days ago
My experience from maintainer a package manager and trying to keep the ecosystem healthy — which mirrors my experience on lots of other systems with many users — is that anything your system allows people to do will be done at some point.
link
Groxx 3035 days ago
heh, good point :)

as always, of course there's a relevant xkcd: https://xkcd.com/1172/

link