Igor Gnatenko wrote:
Yes, however maintainer of nodejs does not want to rename binaries
and
patch sources to be parallel-installable.
And that is exactly the problem.
And today, we would block adding such "compat" package into
the
repositories.
Which is exactly how it should be.
I agree it would be nice to have them parallel-installable, but I
don't
think we need to force it onto all packages.
But there is actually no way around it because every other approach
inevitably leads to conflicts.
We have different problems with modularity, like:
* Whole new tooling which has its own inputs/outputs (and many times
it actually does not work)
* Overcomplication of dependency solving (even after so many years,
DNF still can't handle it properly)
* Different workflow from standard packages which hurts
discoverability and maintainability (basically it creates small
distros within one distro)
and many more.
This is true. However, your approach may also introduce this kind of
practical problems. E.g., if you keep the self-conflicting packages.
(For the record, the logically correct way to handle it would be:
Provides: stream(nodejs) = 10
Conflicts: stream(nodejs) < 10
Conflicts: stream(nodejs) > 10
but I disagree with this Conflicts approach to begin with.)
> Non-default versions of non-leaf packages MUST be parallel
installable
> with the default version for the distribution to be consistent and for
> users to be allowed to freely choose their applications without arbitrary
> conflicts.
I believe that exactly one of the reasons why Modularity has been
created. It requires patching of source code and renaming binaries and
sometimes it is not trivial amount of work.
And this is exactly why I am against Modularity, at least for non-leaf
packages. (And your proposal does not fix this.)
And at the end of the day, most of the people probably don't
need
installed multiple versions of a package at the same time (e.g. nodejs).
They do if they want to use 2 (or more) applications that happen to depend
on different versions of nodejs (something that is entirely beyond the
user's control) on the same Fedora installation. I think it is entirely
unacceptable to tell users that they cannot install application A and
application B on the same Fedora n installation (even though it might have
worked just fine on Fedora n-1) because A depends on libfoo 2 (or
foo-interpreter 2, this is actually no different) whereas B is stuck on
libfoo 1. (It might have worked just fine on previous releases before the
libfoo 2 stream was added.) The purpose of a distribution is to make
software from different upstreams work together.
> is just not true. If the 2 different versions of Perl cannot
coexist,
> building Bugzilla against only one version is not possible without making
> Bugzilla incompatible with anything built against the other version.
Sure, we just have to accept this until perl is made
parallel-installable. Which may or may not happen, but if I have
choice between "only one version of perl and no bugzilla" or "two
conflicting versions of perl and bugzilla using non-default version of
perl", I will choose latter. Unfortunately reality is not perfect.
I do not see why it would be so hard to provide compatibility Perl versions
in non-conflicting compatibility packages. It has already be done in the
past. It is just a matter of versioning (suffixing) the binaries and the
directories (e.g., /usr/bin/perl5.28, /usr/share/perl5.28/, etc.). The
default version may or may not adopt some of this version-suffixing too. The
only thing that matters is that the non-default versions use it.
Sure, but let's take specific case. I have had
rust-smallvec+std-devel-0.6.12-1 which depend on same EVR of
rust-smallvec-devel. I have updated rust-smallvec-devel to 1.0.0 which
does not have +std subpackage anymore. On upgrade that causes
conflicts which can be resolved using --allowerasing --best, but our
current guidelines say that proper obsoletes must be added somewhere
so that upgrade works without manual intervention.
In this case, you probably want to add the Obsoletes to rust-smallvec-devel
rather than fedora-obsolete-packages. That avoids all the bureaucracy and is
just one line in the specfile that you need to update anyway.
That said, you may actually need or want to ship parallel-installable
rust-smallvec+std-0.6.12-devel, rust-smallvec-0.6.12-devel, and
rust-smallvec-1.0.0-devel instead (the actual package contents are
inherently parallel-installable anyway!), in which case you don't have to
Obsolete anything, just orphan and stop updating the 0.6.12 ones if you
don't need them any longer.
I believe I never said to not ship such packages (please correct me
if
I did), we perfectly can ship them to the users, but we need to make
them aware that maintainer won't be providing proper upgradepath and
might not fix CVEs in the time manner.
There is no strict guarantee that bugs will be fixed in a timely manner for
ANY package, so there is no point in specifying that explicitly for
individual packages. CVEs SHOULD be fixed ASAP, but that also goes for your
Rust libraries, where in addition you are supposed to rebuild your
statically linked executables ASAP after upgrading the library. If that is
too much work for you, then you should not be packaging statically-linked
software. (And we really need a dynamic linking solution for Go and Rust.
The current approach where libraries are packaged as installed source code
is just not a reasonable approach in a binary distribution.)
For upgrade path for dropped packages, well, either add an Obsoletes
somewhere if it makes sense (as in the example above) or just ignore it.
> If you are spending your time to get the dependency into Fedora
because
> your package needs it, you should also take the little extra time it
> takes to support it properly.
I simply can't.
I don't see how it makes so much of a difference in effort.
> Your proposal is essentially a proposal to automate the creation
of
> versioned (with suffixed Name) compatibility packages, but it excludes
> the most essential part of the compatibility package pattern, the one
> that makes
> it suited for this use case unlike the current Modularity. So I fail to
> see
> how it addresses in any way the issues we are having with the current
> Modularity.
Oh yeah, this is not only the thing I'm proposing. People want to have
"stream branch" and build from it to all Fedora and EPEL and I thought
that it was clear however it was not. Basically part of the proposal is to
have let's say branches by major version which builds into all releases.
The part about submitting the build once and having Koji build for all
releases is fine. It has already been proposed by others, and I see no issue
with it (as long as the package is still actually built on each release,
just without the maintainer having to do it explicitly – build once, run
everywhere is not going to work reliably).
It is the automatic suffixing that I have a problem with. I want to see a
separate dist-git module created for the suffixed package instead, where the
specfile is also made conflict-free by the maintainer. In other words, the
good old compatibility package pattern that just works. This part cannot be
reasonably automated, and the part of your proposal that proposes automating
this destroys the most useful part of the pattern.
For the Rust libraries, the automatic suffixing might actually work without
Conflicts, so it could be done there, but not in the general case. Unless
maybe you work with %if conditionals somehow (like the ones we used to keep
the F8 kdelibs.spec in sync with the F9 kdelibs3.spec and the F8
kdelibs4.spec with the F9 kdelibs.spec). Automatically adding Conflicts to
automatically suffixed packages is what I am strongly opposed to. The
automation only makes sense if it can be done without RPM Conflicts and
without file conflicts.
Kevin Kofler