Go vgo: Semantic Versioning and Human Error

Preface: vgo _specifically_ calls out the fact that maintainers of libraries have to be backwards-compatible within a major version, and that the onus is on users to put their trust into libraries not to break them appropriately:<p>&gt; Modules are assumed to follow the import compatibility rule—packages in any newer version should work as well as older ones—so a dependency requirement gives only a minimum version, never a maximum version or a list of incompatible later versions.<p>(<a href="https:&#x2F;&#x2F;research.swtch.com&#x2F;vgo-mvs" rel="nofollow">https:&#x2F;&#x2F;research.swtch.com&#x2F;vgo-mvs</a>)<p>Back to the article - it seems predicated on this scenario:<p>&gt; “Our project depends on X@v1.5.0 right now, but it doesn’t work with X@v1.7.0 or newer. We want to be good citizens and adapt, but we just don’t have the bandwidth right now.”<p>If your deps + your transitive deps for some package are:<p>- 1.5.0 (you)<p>- 1.5.1 (some transitive dep)<p>- 1.4.7 (some transitive dep)<p>vgo will choose 1.5.1.<p>However, if your deps for some package are are:<p>- 1.5.0 (you)<p>- 1.5.1 (some transitive dep)<p>- 1.7.3 (some transitive dep)<p>vgo will choose 1.7.3 and presumedly your app will break.<p>In other dep managers, you might specify &lt;1.7.0. How would this work? Grab two versions of the package (1.5.1 and 1.7.3), rewrite the import paths of the stuff that requires 1.7.3, and kind of opaquely have two version of the same thing? Or perhaps modify the way the import &quot;xyz&quot; works to be more opaque to solve this problem somehow? There&#x27;s no nice solution to this.<p>This seems a fairly reasonable tradeoff; on the upside is a _very_ fast, very simple, and very predictable dependency manager. On the downside is that I have to really think about which libraries I trust not to break me instead of relying on my tool to specify ranges and the like.<p>Generally though, the ask from vgo is that folks care about backwards compatibility and think about trust, rather than covering up the issue. It&#x27;s not going to be great for everyone, but I like the straight forwardness of it.

So what&#x27;s happened here is there&#x27;s a bug in in gRPC 1.8.<p>What the OP wants is a way to say, &quot;hey, our software is broken with this buggy version of gRPC,&quot; as part of the dependency requirements. I can see some value in that, but it also feels like a case where just documenting it in the README would not be super-unreasonable.<p>As a practical matter, <i>any</i> time a dependency A says it wants some other dependency B at version V, if you are using B at a version U&gt;V, you are running in a untested configuration, and may encounter problems. (But! this will only happen if you are specifically requesting U&gt;V, or if you have some other requirement A2 requesting B@U. In the latter case, again, you are running a new, untested combination of software, and there might be problems.)<p>An alternative to this would just be allowing multiple copies of B at the same major revision, B.U and B.V. But due to Go&#x27;s use of package-level global variables, that is just as likely, if not more so, to cause bugs, since not all packages will see the same set of shared variables.<p>It does seem like extending the vgo to allow != version requirements might be reasonable. Not full-on &lt;=, which breaks builds or leaves them unsat forever, but just a != to say &quot;hey this version is buggy and we know we don&#x27;t work with it.&quot;

One possible &#x27;solution&#x27; to this is to disallow publishing minor versions that break the api, basically compare all the public signatures to see if they change. E.g. adding a new field is ok, changing a field type is not, adding varargs parameter is ok, changing the order of parameters is not etc etc.<p>The problem with this solution is that <i>behavior is part of the api, but it is not encoded anywhere that can be compared automatically</i>.<p>That&#x27;s exactly what happened in the example in the linked article. Two new fields were added (no problem, that&#x27;s allowed), and the implementation of another field was changed. This change is either fine because it doesn&#x27;t change the behavior (refactoring, optimization, fix a bug, etc) or not fine and it changes behavior that breaks existing code, which is what happened in the example.<p>This behavior was not encoded anywhere, so an automatic publishing gate wouldn&#x27;t have caught this.

vgo was explicitly designed to balance out two needs: (1) the need to use known good versions of the dependencies, and (2) the need not to burden dependency consumers with meaningless constraints (especially with an upper limit on the version). This article shows* why the first need is important, but it does not give vgo the credit for satisfying it with its minimal version selection (and, indeed, for providing a more stable and hence reliable solution than maximum version selection), and it misses the value of the second need. In my experience, the upper limit on the minor version is most often arbitrary, and in some cases when it is not, a future minor version reverts the mistakenly introduced incompatibility. Therefore vgo approach has unique advantages over other version selection methods, and it should not be discounted for the lack of a feature necessary to provide them.<p>* The article says that &quot;Prior to 1.4.0 there was one function of MaxMsgSize&quot; which &quot;had previously set the size on both send and receive&quot; but it does not substantiate this claim, and it may be false since go-grpc 1.3.0 documents that &quot;MaxMsgSize returns a ServerOption to set the max message size in bytes for inbound mesages&quot; <a href="https:&#x2F;&#x2F;github.com&#x2F;grpc&#x2F;grpc-go&#x2F;blob&#x2F;v1.3.0&#x2F;server.go#L166" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;grpc&#x2F;grpc-go&#x2F;blob&#x2F;v1.3.0&#x2F;server.go#L166</a>, and it has not changed in go-grpc 1.12.0 <a href="https:&#x2F;&#x2F;github.com&#x2F;grpc&#x2F;grpc-go&#x2F;blob&#x2F;v1.12.0&#x2F;server.go#L228" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;grpc&#x2F;grpc-go&#x2F;blob&#x2F;v1.12.0&#x2F;server.go#L228</a> which strongly suggests that this is not a bug.

For the uninitiated, vgo has a way to blacklist&#x2F;exclude certain versions of dependency modules, but it only works for the top-level module being built. Exclusions from deeper dependencies are not honored in order to avoid an np-complete satisfiability problem (<a href="https:&#x2F;&#x2F;research.swtch.com&#x2F;vgo-mvs" rel="nofollow">https:&#x2F;&#x2F;research.swtch.com&#x2F;vgo-mvs</a>).

&gt; <i>The issue Sam called out about handling the case where someone isn&#x27;t following the spec. This can be on purpose or by accident. It&#x27;s not uncommon to find it.</i><p>This is a common occurance. So common - in fact - that I think it’s almost always better to either pin everything or nothing and hope the unit test will find any breaking behavior.

MVS sucks, except maybe to protect some users of libraries from their own stupidity. I&#x27;d rather not have to deal with that. The way Cargo and other tools do it works perfectly fine and is well integrated with SemVer. Default behavior is to upgrade to the latest non-major release, but it&#x27;s easy to override for libraries that are more volatile or less trusted.

I&#x27;m amused...<p>While this was on the homepage or hacker news, vgo was marked as accepted. It&#x27;s the timing I find amusing.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;24301#issuecomment-390766926" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;24301#issuecomment-39076...</a>

Minimum-version-selection is exactly equivalent to giving an opaque cookie to the name of every version.<p>&quot;I need libfoo version ScreamingOrangutan&quot;<p>There&#x27;s nothing to be done with a numeric string other than match it, so you might as well choose something memorable or with meaning to humans.

Super confusing that they picked a name that&#x27;s so similar to VG (the tool to manage your go workspaces, similar to python&#x27;s virtualenv): <a href="https:&#x2F;&#x2F;github.com&#x2F;getstream&#x2F;vg" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;getstream&#x2F;vg</a>

1. You should always fix your versions so things don&#x27;t automatically upgrade 2. A good test suite will catch when things break so you don&#x27;t find out in production. 3. Combining the above 2 it becomes easy to occasionally see which packages changed and upgrade to more recent versions. 4. After trying out a ton of dependency management tools (python, ruby, node, go, java) I think Yarn is the nicest solution i&#x27;ve worked with so far.