package, package2, package3 naming-with-version exploit

Petr Pisar ppisar at redhat.com
Tue Apr 2 14:02:46 UTC 2013 

On 2013-03-29, Miloslav Trmač <mitr at volny.cz> wrote:
> On Fri, Mar 29, 2013 at 3:01 PM, Petr Pisar <ppisar at redhat.com> wrote:
>> On 2013-03-29, Tomas Mraz <tmraz at redhat.com> wrote:
>> Basically yes. It's call for semantically separeted API identifier. Now
>> you have NEVRA string:
>>
>> Where we have API? Nowhere because Fedora assumes only one version of
>> a package. API should work like Architecture in sense of parallel
>> instalability, but it shouls provide name spacing for EVR string. API
>> itself should define orderding to allow selecting latest package across
>> all builds as already commmentd:
>>
>
> Isn't one of the principal problems that lead to calls for transparent
> multiple version support exactly the _impossibility_ of having an API
> identifier?
>
Not only. It does not matter if upstream versions API properly or if
upstream does it at all. If you do not like `API', use `interface' or
`contract' or whatever word you like. People do not demand
multiversioning because they can. They demand it because presence of
specific version provides specific features. It's up to packagers to
define the branches/APIs/slots. (Happy are those whose upstream is
version pedantic.)

> However, other languages don't have an API identifier.  Collecting a few
> Gem requirements from my system:
>> s.add_dependency(%q<activesupport>, [">= 0"])
>> s.add_dependency(%q<activesupport>, ["~> 3.0"])
>> s.add_dependency(%q<activesupport>, ["~> 3.0.0"])
>> s.add_dependency(%q<activesupport>, ["= 3.2.8"])
>
If this is conjuction, then the set is empty. If this is disjunction,
then this is full set.

> What API identifier would you actually use for rubygem-activesupport?  What
> API identifer would you want to _autogenerate_ for rubygem-activesupport?
> You'll need "API 3.2.8" at which point upgrades start looking as a little
> meaningless concept.
>
> Similarly, maven version ranges also don't lend themselves to the concept
> of "API identifier":
>>    <version>[3.8,4.0)</version>
> I can construct arbitrary overlapping ranges, so a single API identifier
> won't work.
>
Requires: foo >= 3.8
Requires: foo < 4.0

Or maybe there are APIs 3.8, 3.9, and 4.0 and we want to express (3.8 or 3.9),
but poor RPM does not handle `or'?

-- Petr

More information about the devel mailing list