-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 0.3? #433
Comments
There was a proposal to rename Moreover, we can use this release to relax our MSRV policy in the vein suggested by @briansmith, but this should be done together with
I think it's rarely used directly, usually it's done through
It's possible to do this: [dependencies]
getrandom02 = { version = "0.2", package = "getrandom" }
getrandom = "0.3" And call the registering macros from each crate (assuming |
As @josephlr says, pushing these changes to a I have a slight preference for bumping the version to
|
I understand what you're saying, but in practice it does matter. Many people have their CI set up to reject multiple versions of a dependency by default. so they have to either make an exception to their CI rules, and/or they submit PRs upstream to try to upgrade everybody to the new version, which is extra work for everybody. Then those upstream projects (such as some I maintain) end up having to choose to drop support for 0.2 to help these people, or spend time trying to explain to them (over and over, indefinitely) why it "hardly matters." Either way it ends up being disproportionate amount of effort. If we release 0.3:
|
It would be nice but (a) it can be done in a backward-compatible way by renaming it to I think nonblocking getrandom should be a separate API and so it could be added in a SemVer-capable manner. And/or we could implement the old API in terms of the new API, optionally eventually marking the old API
Better to discuss it in its own issue to reach a decision.
Yes, these are basically bugs that we've deferred fixes for until we make a SemVer-breaking version bump, so we should do this for 0.3. |
I opened #438 and #439 to discuss breaking changes to the API and feature flags respectively. I'm convinced by the arguments above, we should release these changes as a breaking change.
Personally, I think that we should cap the MSRV for the upcoming release at 1.57 (1.56 is Rust 2021, and 1.57 gives us panicking in For 1.0 and onward, we can just say that removing platform support and increasing the MSRV can be done in a minor version, and that:
That way folks can put
I really wouldn't want to bother back-porting changes. I think we could have backports be "contributions welcome". I'd be fine reviewing backports, but I don't want to do the backporting (especially if nobody's actually using it). |
I don't think we should release v1.0, not only because of the MSRV-aware resolver, but also because we will introduce new APIs. There are also potential for new features like "global crate features", which can be quite useful for us. Remember that we always can use the semver trick to release v0.3-compatible v1.0, assuming the APIs stay stable enough.
I agree with this, IIRC we acted similarly with v0.1 backports. |
The main problem with trying to make the next release be 1.0: The release will be long-delayed because there's too much perfecting and too many potential compatibility-breaking changes. I think we need to accept the MSRV increases for 0.2 and do a 0.2 release soon, so that we don't get into a state where we can't do a release because master isn't good enough to be 1.0. |
To reply to @newpavlov here instead of in #544:
So there are breaking changes, but not in the API. We already tell people using I'd like to be able to release rand v1.0 soon after v0.9; I don't know if getrandom has plans for 1.0 soon? |
I think we could release v1.0 relatively soon (in a year or two after the v0.3 release) assuming no issues will be found with the new APIs. One thing which I would like to do with v1.0 (here and with |
From the docs,
So IIUC With that in mind, I see no point in bumping the MSRV to use Edition 2024. Do you have a plan for getrandom v0.3 / something you need help with? I'd like to get rand v0.9 out soon because of |
In my understanding, the problem is that resolver=3 will be available only on Rust 1.85 and later. So if
I plan to cut a pre-release after finishing #546. It's probably worth to do a PSA on URLO and Reddit, since the new opt-in target handling could be somewhat controversial with WASM developers. |
Sorry @newpavlov for my delay in reviewing stuff for v0.3. I should have some time over the next week to review stuff. I started by reviewing #559 is there anything in particular I should look at next, or should I just start at the last time a reviewed a PR (which is baae5fc I think)? |
I also really like the organizational changes in #538 it made the code much easier to read. |
@josephlr |
I would like to get this + rand released early next week if possible. Are there any blocking issues / reviews required / other to-do items? |
I don't have anything in mind, so we only need a green light from @josephlr. |
I'm mostly done with my review, just a few more things I want to think about (and get other's feedback on):
|
Alternatively, now that we can use |
I believe we should be consistent and use configuration flags for all optional backends. Enabling the flag is relatively easy and automatically resolves potential issues with some library crates enabling the
The problem with this hypothetical feature is that it will be used only for the sanitizer support. I think thst for sanitizer users it will be a bit easier to enable the configuration flag, than the nightly crate feature for a dependency buried deep in their dependency tree. It would've been a different story if we had some other Nightly-only functionality. |
As a user who struggled to keep unwanted
The set of dependencies actually built by default hasn't changed, but polluting the lockfile like this has negative side effects. It creates more false positives for tools like
Edit: also see the discussion at rust-lang/cargo#10801 and the many references to that issue across GitHub for illustration how much trouble overly broad dependencies in lockfiles can cause. At least that's a Cargo issue that should get fixed eventually, while the getrandom 0.3.0-rc.0 design interacts badly with Cargo "as designed" (one lockfile is supposed to work for any target platform and set of One way to mitigate these problem would be to add back feature flags in addition to the I'm raising this now because changing the rules from "set this cfg" to "set this cfg and also enable a Cargo feature" would on its face be a backwards incompatible change. |
Thank you very much @hanna-kruppe for raising this concern. This is exactly the type of feedback we want for how to best enable alternative backends for this crate. I am especially sensitive to this concern because in over half of the issues I find complaining about this sort of problem, we are the ultimate cause of said problem. I am wondering if this could be done using a single cargo feature ("use an alternative backend") + a I'll think more about how we might address this. |
It may be that the Cargo dependency resolver pulls in packages which can never be used in practice. That is presumably cargo#10801. But at the same time, many of the dependencies can be used on some platform, if I understand correctly. According to this comment, |
Yes, the lockfile is intended to cover all platforms, that's why e.g. However, most of these dependencies are not actually used on any platform, unless someone opts into a non-default backend. Cargo can reason about this when the opt-in happens via features, but it intentionally and quite reasonably doesn't do any reasoning about
To be clear: any new dependencies that are used by default on some platform are totally fine. I mean, I'd still appreciate this set to be as small as possible for other reasons, but it is valuable to have lockfile reflect what will be built on any unforseen platform. I'm only talking about dependencies that were or would have been feature-gated in version 0.2 but are gated on |
I think the main issue is that cargo is able to exclude feature-dependent project dependencies from Cargo.lock if it can see that the feature is not enabled anywhere in the project. For example, with just
Some of the "bloat" ( The
Overall, while I agree that the lock file bloat is unfortunate, I don't think we should introduce hacks like requiring to enable both configuration flag and crate feature simultaneously. It may be worth to look for a better approach, but I don't have any ideas right now.
Such dependency bounds are notoriously fragile and should not be used. And, as you can see above, |
I don't know how to quantify this but it doesn't feel correct to me (and I do have some non-trivial projects that avoid them). These crates have a lot of reverse dependencies, but many of those are feature-gated or come from applications/libraries specific to the wasm-bindgen ecosystem. General-purpose libraries that unconditionally depend on wasm-bindgen/js-sys on
Sorry for any confusion caused by picking Aside: a similar problem that's more difficult to fix but also triggers more rarely is with the |
I think we have the following options to resolve the lock file bloat issue:
Personally, I think the latter option has the least amount of drawbacks. |
If we use feature-flags to enable backends, a crate like Can we somehow allow users to just depend on Thus, I think we just have to choose which backends get enabled by default (at the cost of Qualitatively we may choose to use feature-flag the target (e.g. |
The difference is that users would have to explicitly define
I do not quite understand. We simply can not make the Web WASM backend enabled by default. Our choice is between tolerating the bloat or adding a subpar workaround to eliminate it.
How it's better than the proposed |
I was assuming that keep the
I don't understand what you mean exactly. A |
This is blocking rand v0.9, but there's a limit to how long I want to wait on this issue. It's 43 days until Rust 1.85.0 is released, presumably with edition 2024 which deprecates the So shall I just go ahead and use |
The lock bloat issue looks like the only blocker. After we resolved it (either by leaving everything as-is or by introducing a crate feature workaround), we can release v0.3 right away after your and/or @josephlr approval. Personally, I would strongly prefer if rand v0.9 was using getrandom v0.3. I will prepare an alternative PR to #574 shortly. |
@daxpedda |
Personally I would vote for your first suggestion:
Even though I also prefer the Imo the best approach would be to only require an external dependency which would implicitly "mount" the backend, but as was already said:
|
I wonder if we could ask It could look like this: // wasm-bindgen
#[cfg(getrandom_backend = "wasm_js")]
#[no_mangle]
unsafe extern "Rust" fn __getrandom_v03_wasm_bindgen(
dest: *mut u8,
len: usize,
) -> Result<(), ()> {
// ...
}
// getrandom/wasm_js
pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
extern "Rust" {
fn __getrandom_v03_wasm_bindgen(dest: *mut u8, len: usize) -> Result<(), ()>;
}
unsafe { __getrandom_v03_wasm_bindgen(dest.as_mut_ptr().cast(), dest.len()) }
.map_err(|()| Error::WEB_CRYPTO)
}
One advantage is that it prevents users from enabling the |
|
I guess we need to make the final decision. We have 3 main options:
I am more or less fine with either, but, honestly, I am starting to lean towards the first option. We can consider Maybe we should create a poll on URLO? |
There is a fourth option:
I feel like this may be the best choice and would consider expanding this to cover other targets (e.g. I wouldn't necessarily go with the result of a poll on https://users.rust-lang.org/ but it may bring salient discussion points. |
So like the UPD: I guess the main advantage is that it would make easier to use dependence-free opt-in backends, but since the Web WASM backend will be the most popular opt-in backend, I am not sure it's worth to make a negative exception for it and risk proliferation of such features in future.
I do not quite understand. Do you suggest to drop the Windows support and move it to an opt-in backend? We probably will get a significant backlash for doing that. |
You are correct that we can't drop Windows support by default — at least, not the most common Windows variants. I'm sure you (@newpavlov) have a better idea than I of which backends we may add/remove/replace in the future. Making the "opt in" flags specific to a backend or group of backends simply appears more future-proof than pushing all non-default backends into I feel like the sensible options are:
|
@newpavlov at this point I'd suggest you pick one of the three options I listed above since you are most familiar with this project. (The thing I least like about your |
I personally think that the simplest solution would be to have a "js" (or whatever) feature which allows enabling |
We have a few changes coming up (#425, #414 , #432) which will make the following changes to the compatibility of this crate:
*-pc-windows-{gnu,msvc}
from Windows Vista (released November 30, 2006) to Windows 10 (released July 15, 2015).x86_64-win7-windows-msvc
andi686-win7-windows-msvc
targets*-win7-*
targets (viaRtlGenRandom
)The Rust Semver Compatibility Guide does not specify if such actions would be breaking changes. Both:
are listed as "Possibly-breaking" changes.
My personal preference would be to release these changes as
0.2.16
(not consider this a breaking change) because:getrandom
is widely used throughout the Rust ecosystem so updating all callers can be somewhat tedious.custom
implementation work with both versions ofgetrandom
.However, if we do decide to have this be a breaking change, we should discuss if there are any other semver-breaking changes we wish to make (see #346 and #230). Another option would just be to get consensus on #232 and release these changes as 1.0
The text was updated successfully, but these errors were encountered: