#debian-rust log

18:58:59 <silwol> #startmeeting
18:58:59 <MeetBot> Meeting started Wed Aug 26 18:58:59 2020 UTC.  The chair is silwol. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:58:59 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:59:08 <silwol> Welcome everybody!
18:59:14 <kpcyrd> hi!
18:59:22 <hntourne> Hello
18:59:36 <silwol> #topic agenda
18:59:48 <silwol> I created a wiki page at https://salsa.debian.org/rust-team/debcargo-conf/-/wikis/IRC-Meeting-Agenda for collecting the agenda topics.
19:00:47 <silwol> My idea is that we collect the topics between the IRC meetings.
19:01:24 <wookey_> just made it
19:01:27 <silwol> I simply created it in the debian-conf namespace, not sure it's exactly the best place.
19:01:34 <silwol> welcome wookey_
19:02:30 <silwol> any input on this topic?
19:03:06 <wookey_> which topic?
19:03:21 <wookey_> where to put the agenda?
19:03:27 <silwol> exactly.
19:03:58 <wookey_> I'd use the debian wiki rather than the salsa wiki for this sort of thing
19:04:11 <wookey_> but I don't suppose it matters much
19:04:11 <silwol> silence is consent ;-)
19:05:23 <silwol> for me it doesn't matter. I didn't think about the debain wiki as I don't use it that much, the thought was more whether the debcargo-conf namespace is the correct one.
19:05:33 <silwol> but debian wiki is a good idea also.
19:05:46 <wookey_> I'd expect that to be about debcargo-conf package
19:05:58 <wookey_> the debian wiki is the right place for info not specific to packages
19:07:25 <silwol> it mainly is, but we'll probably also touch other relate topics in the future.
19:07:52 <silwol> I think we'll leave it as is for now, except if somebody comes around with a proposal.
19:08:04 <silwol> #topic status updates on the topics from the previous meetings
19:08:11 <wookey_> if you are used to using salsa to organise the team then putting all the info on salsa makes sense I guess.
19:10:00 <silwol> I contacted the golang team and asked for the information about working on a repository for build-time deps only.
19:10:34 <silwol> they already had a bug report on which people from our team commented that weren't present on the previous meeting.
19:10:56 * silwol looks up the bug no…
19:11:12 <stappers> #idea dedicated Salsa project for  orga stuff  as an agenda
19:11:43 <silwol> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949163
19:12:42 <silwol> I didn't get around to contact any of the other teams as mentioned in the todo.
19:13:27 <silwol> kpcyrd: you mentioned you were in contact with kali people, would you like to talk a bit about their stance?
19:16:36 <kpcyrd> yes, hold on
19:20:30 <f_g> here (better late than never ;))
19:20:46 <silwol> welcome f_g
19:21:28 <wookey_> you've not missed much :-)
19:21:35 <eriol> I'm here too... sorry for being late!
19:21:55 <silwol> welcome eriol
19:23:13 <silwol> while we're waiting for kpcyrd's report, I can in the meantime tell that I didn't manage to contact f_g, so no process on creating the feature-collapsing PoC :-(
19:23:39 <f_g> indeed. been busy with non-Debian stuff like vacation ;)
19:24:10 <f_g> there has been 'progress' by the way of lots of REJECTs, and the BoF today though.
19:24:24 <f_g> so maybe a report from that would be interesting for those that missed it?
19:25:09 <silwol> f_g we have that on the list, we're currently wrapping up the status of the todo list from the previous meeting.
19:25:19 <f_g> ack
19:25:23 <silwol> (I updated https://salsa.debian.org/rust-team/debcargo-conf/-/wikis/IRC-Meeting-Agenda accordingly ;-) )
19:25:29 <capitol> my take on the BoF: we didn't really have that much of solutions in the BoF, it was more that people shared their frustrations and got to meet eachother
19:25:54 <capitol> oh, sorry for going out of turn :)
19:26:02 <kpcyrd> got a call, be back in a few min sorry
19:26:31 <silwol> maybe we should talk about the debian-rust mailing list topic?
19:27:21 <silwol> stappers: you wrote to the listmasters, would you like to report what the status is there?
19:28:15 <stappers> The sad news is there is nothing to report.
19:28:44 <stappers> Listmasters didn't yet respond.
19:29:06 <stappers> In attempt the break the silence
19:29:36 <silwol> +1
19:29:43 <stappers> I did invite listmasters to attend this IRC meeting  ( silwol  had CC ( yesterday ))
19:29:53 <hntourne> stappers: do you have the needed advocacy for the request? If I recall well you mentionned 2 DD should be "supporting" the request
19:29:56 <silwol> I read that. Not sure any is present.
19:30:21 <wookey_> I'm a DD
19:30:28 <eriol> I'm a DD too
19:30:34 <wookey_> hapy to support the idea that rust should have a mailing list
19:30:45 <eriol> me too of course
19:30:48 * stappers is not sure about the minium DD count for a new ML
19:30:48 <wookey_> surpried you don;t have one already!
19:31:06 <silwol> wookey_: we do, but  it has a difficult-to-remember address, and is spammed by package upload messages.
19:31:08 <f_g> wookey_: there is an alioth one that is the maintainer address
19:31:30 <silwol> we'd like to have debian-rust@, but keep pkg-rust-maintainers@ for the package upload messages.
19:31:41 <wookey_> right. makes sense
19:32:07 <wookey_> that's where I just looked, to see no list :-)
19:32:15 <stappers> eriol: wookey_  please use your "DD status" on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966088
19:32:53 <wookey_> Will do
19:33:00 <stappers> :-)
19:33:13 <eriol> sure! :)
19:33:41 <silwol> #todo eriol wookey_ write support e-mail to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966088 bug
19:34:03 <silwol> anything else open from the to-do list?
19:34:33 <hntourne> stappers: https://www.debian.org/MailingLists/HOWTO_start_list - says that it s appreciated if other shows shared interest - does not seem mandatory but can't harm :)
19:34:45 <f_g> infinity0: wanted to write a TCTTE draft AFAIR
19:36:13 <wookey_> OK. bug mailed
19:38:06 <silwol> f_g seems the item didn't land on the todo list, so no idea whether the idea was to write a draft already.
19:39:30 <wookey_> I guess that's related to the NEW/debcargo/crates issue which we'll no doubt get to shortly
19:40:15 <silwol> kpcyrd: should we proceed to the next topic and you tell your report later?
19:40:23 <f_g> silwol: see 21:40:58 ff from last log
19:40:32 <kpcyrd> I'm back
19:40:41 <silwol> cool!
19:41:10 <kpcyrd> ok, so kali would like to ship rust software, but they would prefer something that's simpler than what we're currently doing (until the software landed in debian proper, at which point they would drop their package)
19:41:54 <silwol> do they have any plans to implement something by their own?
19:43:03 <kpcyrd> they are still looking for an approach that builds offline, now I'm wondering what's the easiest way to 1) take the upstream tar ball 2) populate it with cargo vendor 3) repack it as tar ball and proceed with regular debian tooling
19:43:31 <kpcyrd> for the 3rd step I'm lacking knowledge about how to do that with debian tools
19:43:56 <f_g> kpcyrd: you could look at what src:cargo does in Debian
19:44:05 <f_g> (not src:rust-cargo !)
19:44:11 <kpcyrd> and I'm not sure what's the right channel to get support, #debian-devel is probably just for debian specifically
19:44:17 <kpcyrd> f_g: good hint, thanks!
19:44:52 <wookey_> dpkg-source will repack a debian source tree
19:45:13 <wookey_> that might be what you are looking for
19:45:37 <f_g> it's basically what we do for cargo the binary package, vendor all the crates it depends on so that we don't have the cargo <-> debcargo-conf bootstrapping problem
19:46:38 <kpcyrd> sounds great, I'm going to look into that and ask in #debian-rust if I'm stuck :)
19:47:11 <f_g> https://salsa.debian.org/rust-team/cargo/-/blob/debian/sid/debian/scripts/debian-cargo-vendor
19:48:05 <silwol> It looks like I'll have to leave in about 20mins.
19:48:27 <wookey_> dpkg-source -x package.dsc, add crates, dpkg-source -b <directory containing source>
19:48:50 <kpcyrd> we can proceed to the next topic!
19:49:11 <silwol> #topic summary of the BoF earlier today.
19:49:35 <silwol> who would like to give the summary?
19:49:59 <wookey_> you were there :-) and knwo what's what :-)
19:50:12 <silwol> I tried my best.
19:50:38 <silwol> but it's difficult for me to summarize.
19:50:52 <silwol> of course the main topic was the ftp/binpackage problem.
19:51:59 <wookey_> I think we found that FTPmasters (at least according to Waldi, and no others came despite being given opportunity)
19:52:25 <wookey_> really are no longer going to accept the existing debcargo scheme
19:52:42 <wookey_> So we can:
19:52:46 <capitol> yeah, they were quite clear on that
19:52:48 <wookey_> 1) give up a go home
19:52:55 <wookey_> 2) change to some other mechanism
19:53:02 <wookey_> 3) take it to the technical committeee
19:53:38 <wookey_> It ewas good to have some go people present as they are in a similar situation
19:53:54 <wookey_> but have chosen a more conventional packaging system
19:54:22 <silwol> I assume the go people don't have the problems in the same way we do, as the go bulid system doesn't support features from what I can tell.
19:54:36 <wookey_> Agreed - there are technical differences
19:54:59 <wookey_> which I have not yet grokked
19:54:59 <silwol> What we have in common is the static-lib issue though.
19:55:07 <silwol> or better, static-compilation.
19:55:43 <silwol> from what I assume the issue is that debian is mainly designed to work well with shared libs, and reflects that in the packages.
19:56:18 <capitol> the debian security team had a question on how we track security issues in crates when everything is statically compiled, and I think our answer was that we don't
19:56:25 <wookey_> we talked about mechanisms to do rebuilds when there are updates to libraries
19:56:29 <silwol> if you find a security issue for example, you fix that, and as long as no ABI-incompatible changes were made (which rarely is necessary for that type of problem), you just replace the affected lib with a fixed version.
19:56:50 <capitol> that would be an nice thing to work on at some point in the future
19:56:59 <f_g> capitol: you basically re-compile leaf packages that ship binarys that are built-using the affected library crate
19:57:01 <silwol> with our packaging scheme, we upload source code into binary packages, so once we update a lib, we have to recompile the affected bin packages.
19:57:03 <wookey_> capitol: right, and it's not unreasonable to ask that we make one
19:57:05 <f_g> but no automation for that yet
19:57:22 <capitol> f_g: yes :)
19:57:58 <silwol> is that a solved issue in golang? it seemed to me that they don't have a solution to that eiteg.
19:57:59 <silwol> either.
19:58:15 <wookey_> silwol: yes I think they are looking for something too
19:58:49 <f_g> in the trivial/API compatible case its a grep on build info + schedule bin-NMU
19:59:03 <wookey_> It was noted that the haskell team have a system, but that is tpo deal with the fact the the abi for everything changes when the compiler is updated
19:59:13 <wookey_> which is a bit different
19:59:20 <f_g> in the non-trivial case, it's the same as for shared libs that break ABI in a security fix, look at the breakage, fix it, do an upload
19:59:37 <f_g> wookey_: rust is the same, which is why nobody does shared linking
19:59:43 <silwol> I think a shared solution between the teams - or one that is similar in handling by the security and release people - would help here.
20:00:02 <silwol> (so rather package metadata than anything rust-specific)
20:00:14 <wookey_> f_g: right, I see. so we _could_ do that, at the cost of having to rebuild _everything_ on a regular basis
20:00:26 <capitol> we could pull security information from: https://github.com/RustSec/advisory-db/
20:01:00 <f_g> wookey_: in theory yes. in practice, there are a few road blocks to even do that ;)
20:01:23 <wookey_> f_g: OK, what is the problem?
20:01:39 <silwol> capitol: https://github.com/RustSec/cargo-audit might help here as well.
20:01:52 <f_g> I don't have the details handy, but a colleague did an attempt at shared linking at work and there were quite some more caveats beside the whole 'toolchain update invalidates all the built binaries/libs'
20:02:24 <f_g> IIRC something regarding the std lib, and intra-crate linking
20:02:39 <wookey_> I saw something about symbol mangling. I need to investigate/understand this
20:03:23 <silwol> I talked to efraim (rust-guix, was in the bof today) in person after their rust presentation on fosdem, they have similar problems.
20:03:43 <wookey_> The current security assumption is that it only needs to be fixed in one place, and that package gets fixed, re-uploaded and built
20:04:15 <wookey_> that's not really true because we already have embedded libraries so somtimes more than one thing needs to be fixed/uploade/rebuilt
20:04:23 <silwol> true, and in our scenario we have the additional point "find all affected leaf packages and rebuild them as well".
20:04:23 <f_g> yes, but they already needed some mechanism/tooling for go for Buster IIRC
20:04:31 <wookey_> the number just rises for statically-linked things
20:05:18 <f_g> yep. and it's mostly automatable (as in, a script that gives you all the packages needing a rebuild/bin-NMU given a fixed lib crate package)
20:05:20 <wookey_> seems to me that fixing this for the general case in the tooling that the security team use would be a good plan
20:05:58 <f_g> a generic one that detects whether the fixed package is a go/haskell/rust/.. package and then runs the appropriate lookup over build info is probably a good idea
20:06:13 <f_g> first step would be to ask them whether they have anything like that already that could be extended to support rust
20:06:42 <wookey_> some tool that knew how to follow the build-deps/build-info/built-with metadata for various languages and schedule/order builds/binnmus as required would make a lot of people happy
20:07:28 <silwol> does any of these metadata sources already contain everything required?
20:07:57 <wookey_> I presume that the necessary info can be extracted, but I don;t actually know.
20:08:16 <wookey_> The catch is having to grok 8 different languages and their tools :-)
20:09:06 <f_g> IMHO the bigger question is how to proceed w.r.t. ftp-masters and debcargo
20:09:27 <eriol> I remember this tool for Go: https://tracker.debian.org/pkg/ratt but I don't know if it covers the security related use case. I used Go several years ago, but never used it.
20:09:54 <siretart> I've been using that tool successfully recently
20:09:59 <silwol> f_g yes, that's currently the most pressing issue to unblock.
20:10:13 <siretart> it uses dose to calculate reverse dependencies and then invokes sbuild to build each of them
20:10:35 <wookey_> I was going to say that dose can probably help us work out the deps
20:11:00 <capitol> should we make a list of people that want to look at the security tooling problem and continue to the ftp-master problem?
20:11:09 <capitol> I have to leave soon also
20:11:18 <capitol> I'm willing to be on that list
20:11:37 <wookey_> Sure
20:12:17 <wookey_> the security thing is important, but not as urgent as 'our whole language is blocked until we think of a new plan'
20:13:19 <wookey_> I think we have to decide if we want to fight or acquiesce
20:13:33 <capitol> just to throw something radical out there: could we vendor all dependencies instead?
20:13:52 <silwol> capitol: `cargo-deb` ;-)
20:14:17 <wookey_> capitol: you mean put all the deps in the source of each rust package?
20:14:22 <f_g> #topic debcargo future / ftp masters rejects
20:14:38 <silwol> not sure the security team would be happy about that, I think it would be too easy to overlook vendored crates.
20:14:54 <f_g> capitol: I don't think either ftp-masters or security would be happy about that approach
20:15:05 <f_g> see discussions about kubernetes a few months back on -devel
20:15:28 <f_g> it also scales rather badly when more and more tools written in rust get packaged
20:16:00 <silwol> plus you'd have many libs in different versions.
20:16:02 <f_g> (if you don't want to drop all pretense of packaging the deps sanely, e.g. try to avoid duplicate versions, vendored bindings, ...)
20:16:02 <capitol> so they want one package per crate, but not our current solution for features
20:16:06 <wookey_> I'm up for doing some analysis on the current situation and what happens if we collapsed all the features
20:16:38 <wookey_> which seems to be the main sticking point
20:16:42 <f_g> capitol: not necessarily. e.g., the JS team sometimes bundles small modules into a single source+bin package
20:17:04 <f_g> but yes, they don't like that we ship many empty binary packages
20:17:15 <silwol> #todo silwol still would like to work on adding the feature-collapsing to debcargo.
20:17:20 <f_g> they also don't like that we do a lot of provides encoding semantic version info in the provided package name
20:18:04 <f_g> both would be reduced if we don't enable all features by default
20:18:59 <silwol> f_g do you think some kind of "whitelisting" for features, or simply patching out everything we don't need?
20:18:59 <f_g> but both would only go away completely if we don't automatically convert the info from Cargo.toml to d/control, but instead specify it manually on a case-by-case basis
20:19:53 <f_g> IMHO a map of {"bin_package_a" -> ["feature_1", "feature_2"], ...} would be the most sensible middle-ground approach
20:19:54 <wookey_> f_g: yes, but that's what packaging is.
20:20:47 <wookey_> It's nice to have totally automatic packaging from upstream's module system, but sometimes that doesn;t really make sense, or upstream's sysem is just to crazy to map into a distro well
20:21:17 <wookey_> We only have to do it once for each package, don't we?
20:22:19 <wookey_> (sorry if I'm asking dumb questions here - I'v enot yet taken the time to propoerly understand this stuff)
20:22:22 <silwol> what if we default to collapsing all features in a package with a specific naming scheme? it would help us to find and exclude features that miss dependencies, and it would only require work on packages that depend on such packages that were not collapsed.
20:22:34 <silwol> (thus saving us from polluting the provides lines)
20:22:51 <f_g> wookey_: you'd have to do it for both sides of the dep relation if you do it fully manually
20:23:05 <f_g> and upstreams basically change/add/remove feature every second patch release for some crates
20:24:02 <f_g> rust makes up ~4% of source packages in main, I think it would not be very feasible to have this kind of overhead for packaging lib crates
20:24:17 <f_g> a single binary can easily have hundreds of transitive dependencies
20:24:55 <wookey_> f_g: if we add metadata to a package to conflate features, why can' tthat metadata be used automatically by things that depend on the package?
20:25:18 <wookey_> i.e why do we have to 'do both sides manually'?
20:25:46 <f_g> because debcargo as a standalone tool does not know/care about the current instance of debcargo-conf
20:26:06 <f_g> so it would not know where to find that information
20:26:15 <f_g> it operates on a single crate at a time
20:27:29 <wookey_> Does anyone think that in fact debcargo is just the right way to do this and the FTPmasters are wrong to reject it?
20:27:52 <wookey_> i.e we should write a complainto the technical committee?
20:28:02 <f_g> infinity0 definitely does ;) they're also the main author of debcargo :-P
20:28:50 <f_g> I think debcargo works quite well, but I can understand some parts of the criticism. it's rather different from most other packaging approaches
20:28:50 <capitol> I haven't understood if we are running into some sort of technical limitation, or if it's just someone who thinks it's ugly
20:29:26 <silwol> I don't have very strong opinions on that. I have been maintaining an in-house repo with a major part of the crates for some time, and it worked really well.
20:29:27 <wookey_> ah yes, one other thing of significance from the BoF. When asked about 'why are we going through NEW', FtP masters did sort-of agree that if there was a reliable way to distinguish being 'real NEW' and 'NEW that should be autoaproved' then maybe that could be done
20:29:34 <f_g> I think it's mainly an argument of 'this is a waste of resources'. both human (bin-NEW triggers ftp master reviews) and machine (bigger Packages files -> more parsing overhead -> ...)
20:29:50 <silwol> but we have the shared resource "package index", and from that pov I understand that there are some issues.
20:30:54 <silwol> wookey_: according to waldi they basically have that reliable way, but they decided that rust isn't worthy of getting access to it :-)
20:31:13 <wookey_> So it may be worth pushing the idea that manual NEW review could be skipped in specific circumstances, if we could reliably define those
20:31:47 <wookey_> silwol: hmm, that's not what I understood from what was said. I thought he said there was no such mechanism
20:32:08 <wookey_> (implying that if there was a mechanism they were happy with, then maybe it could be done)
20:32:23 * stappers was not at the BoF
20:32:41 <silwol> as I said earlier, I assume that waldi's position may not be same as the one of the majority within the ftpmasters team, but that's just my impression from the outside.
20:32:41 <f_g> wookey_: it would basically be 'auto-approve bin-NEW for librust-.*+.*-dev'
20:32:50 <stappers> Which other FTP masters beside Waldi did speak?
20:32:57 <f_g> as those are always empty semantic packages atm
20:33:16 <silwol> stappers there was a general invitation addressed to the ftpmasters team, but only waldi showed up.
20:33:28 <wookey_> f_g: but those packages are actually 'genuinely NEW' on initial upload
20:33:34 <stappers> chips
20:33:43 <silwol> If I understood it correctly waldi said they have such a mechanism, but it's more targetted towards kernel packages et al.
20:34:11 <silwol> f_g but 'genuinely NEW' is also triggered on new source packages, right?
20:34:22 <wookey_> silwol: yes
20:34:22 <f_g> wookey_: no, on first upload rust-* is NEW
20:34:45 <f_g> on a 'new/renamed/...' feature upload, only librust-.*+.*-dev are bin-NEW
20:34:51 <wookey_> OK. I see what you mean. Should work
20:35:13 <silwol> and the non-features bin package which is built from every rust source package would also be new on the first upload.
20:35:21 <wookey_> Waldi claimed to speak for all ftpmasters on this. We don;t know if that's really true
20:35:35 <wookey_> But I have no reason to doubt it
20:35:55 <f_g> but such an auto-approve would just solve our problem of long bin-NEW wait times
20:36:08 <f_g> it does not remove the concerns about the index/Packages file
20:36:14 <wookey_> f_g: exactly
20:36:20 <wookey_> IMHO that matters
20:36:22 <f_g> and it's unlikely we get such an auto-approve before we managed to clear those concerns
20:37:05 <f_g> so it's back to square one - do we want to attempt CTTE to get a third opinion on whether our usage of Packages to encode semantic information is okay
20:37:28 <f_g> and if no, or if yes and it fails, how do we reduce the number of things we encode there
20:37:49 <f_g> 1.) don't package all features, but only a sub set that is explicitly specified
20:38:12 <f_g> 2.) don't split binary packages by feature (sets), unless explicitly specified
20:38:23 <f_g> was what I proposed back in the salsa issue
20:38:32 <f_g> I'd possibly even add
20:39:11 <f_g> 3.) don't encode semantic versioning information in provides, instead implement a mechanism to map package names in rdeps to support the rare case of multiple lib crate versions in one release
20:39:23 <f_g> then we can instead do plain versioned build-deps
20:39:42 <wookey_> This is the way I would try to go if it was up to me.
20:40:22 <f_g> the first two would work simply on the rdep side, the third one would need to be done on both sides of the packaging equation, but is/should be a rather rare occurrence
20:40:40 <wookey_> as I put in the etherpad, we currently have 14,148 binary package from 767 source packages
20:40:48 <wookey_> that's excessive IMHO
20:41:30 <f_g> yes, and lots of features that are no used by any rdeps, but it's hard to tell how many of those are just unused because stuff that would use them is not yet packaged/did not make it through NEW (yet)
20:41:40 <wookey_> 18 binaries per package
20:42:27 <silwol> that seems more than I would assume from my experience working on the packages.
20:42:44 <f_g> I'd also say that there are some false positives or some massive outliers in there
20:42:45 <wookey_> I'd also push back upstream on the static/dynamic thing. People are ARM are doing this too
20:42:48 <silwol> are these true bin packages, not provides?
20:43:10 <wookey_> silwol: not sure - I did some quick apt-cache grepping last night
20:43:49 <wookey_> I don;t think apt-cache shows virtual provides, but it may show non-virtual provides. I forget the details
20:43:52 <silwol> if the provides were included the number would be around what I'd expect.
20:43:58 <f_g> I count ~1700 bin packages in main, for ~800 source packages
20:44:39 <f_g> (via grep-dctrl | sort -u | wc -l, so might have some noise in it as well)
20:44:43 <wookey_> OK, that sounds a lot better
20:44:53 <wookey_> It was 2am :-)
20:44:57 <silwol> thats nearer to what I'd expect.
20:46:06 <silwol> so basically, that number could be reduced to match nearly the number of source packages, and the provides could possibly removed if we didn't encode the semver information in our version numbers, right?
20:46:14 <wookey_> that 14,000 is from apt-cache dump | grep librust- | grep Package: | sort | uniq | wc
20:47:49 <silwol> yes, that includes provides at a quick glance.
20:47:59 <wookey_> OK.
20:48:30 <wookey_> silwol: ISTM that the semver info should only be encoded in package names when you need to have more than one in the archive at once
20:48:53 <f_g> wookey_: or not even then, you just need to tell the rdep to explicitly depend on the older package
20:49:01 <silwol> yes, I also think it is the exception to have more than one version.
20:49:02 <wookey_> for that vast majority of packages where 'latest' will do it's not needed
20:49:21 <silwol> From the design it looks to me as if it was intended to provide smooth migration to newer versions.
20:50:12 <silwol> I also think the package name without the version number in the name was not there from the beginning, but got introduced at a later point.
20:50:39 <wookey_> right. I saw some debate about that in a bugrep
20:50:46 <f_g> yes, the current mechanism allows to upload a crate B that depends on crate A ver X
20:50:58 <silwol> so all packages were intended to look like librust-rand-0.6-dev, but that was in the time before the first crate packages got uploaded to the archive.
20:51:09 <f_g> and even if we later upload crate A in ver Y, and re-upload crate A-X for version X, the old built crate B is still vaid
20:51:47 <f_g> the new mechanism would require a rebuild of crate B with a flag to encode the version X of A in the dependency package name
20:52:44 <f_g> which is okay, as that is supposed to rarely happen, and if it does, it's a simple rebuild without any other changes
20:52:48 <silwol> I worked on the rand 0.6 to 0.7 migration some time ago, and the main blocker was getting 0.6 through NEW before updating the non-version-named package to 0.7, just to have the 0.6 packages removed afterwards.
20:53:13 <f_g> silwol: even more reason to make that a rare exception ;)
20:53:33 <silwol> I also think if we make the parallel version installable package the exception this increases the pressure on us to push upstream.
20:54:16 <wookey_> It seems to me that we may be reaching a consensus amongst those present on the direction to take?
20:54:32 <wookey_> BUt we may get disagreement from those not [present
20:54:57 <silwol> true. so how do we proceed on this topic?
20:55:04 <wookey_> all this still requires someone to do some work
20:55:43 <silwol> infinity0 expressed thy would take a look at the MR if we proposed one.
20:55:45 <wookey_> If we had a mailing list, I'd say a summary to the list :-)
20:55:55 <f_g> wookey_: silwol and me already volunteered trying a PoC for debcargo last time, we just didn't do it yet. I am not that familiar with CTTE and policy to weigh in whether we want to go down that route
20:56:10 <silwol> I'd be willing to work on debcargo, but I can't promise I'll be able to invest a lot of time, so help would be welcome.
20:56:51 <silwol> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-rust-maintainers for now.
20:56:56 <wookey_> I think the action is to look seriously at what a new scheme would look like
20:57:21 <wookey_> what that does to the number of packages and provides and circular dependencies
20:57:28 <eriol> I just don't know if I would able to work on something like this, but as I said I changed job to have more time, so I can help here if someone can mentor me.
20:57:35 <f_g> I'll try to find some time in the next 2 weeks to start on the feature/bin-package filtering feature and flesh that out more as well
20:57:57 <f_g> I think the version thing is fairly straight-forward, it's mostly dropping or selectively disabling certain code paths
20:58:04 <wookey_> I have some expertise in dependency analysis, but very little in debcargo yet
20:58:27 <wookey_> Last 3 weeks I have done nothing but wall insulation :-)
20:58:39 <f_g> wookey_: I think the main issue is that it's hard to estimate what the additional work load to think about and manage those feature sets will be
20:58:46 <capitol> I have to leave, I'll read the rest of the meeting tomorrow
20:58:48 <f_g> but it might be that we don't have a choice anyway
20:58:54 <wookey_> I put last board up 3 hrs ago, so when I go back to work I can spend some time on this
20:58:56 <silwol> bye capitol
20:59:04 <eriol> bye capitol!
20:59:49 <wookey_> Thanks for a productive discussion.
21:00:08 <silwol> f_g is it ok for you to contact me when you want to work on this? I usually have my day off on fridays, and when school starts again, it will be easier to allocate that for whatever I want.
21:00:36 <silwol> apart from that, evenings are ok as well most of the time.
21:01:14 <silwol> I imagine I could start hacking, but I'm sure I would miss many edge cases and ideas you already thought about.
21:01:29 <f_g> yes, sure :) will probably end up being the first week of school anyway ;)
21:02:20 <silwol> #todo f_g silwol hack on feature-collapsing in debcargo (again ;-) )
21:02:34 <f_g> for real :-P
21:03:01 <silwol> ok, so I think we'll leave this topic for now. feels like we're making some progress.
21:03:32 <silwol> #topic overview page for packaging
21:04:14 <silwol> I stumbled over https://go-team.pages.debian.net/ some days ago, and found that a really great entry point for people new to a team.
21:04:47 <silwol> I think we should put the idea of creating something similar on our radar.
21:05:03 <silwol> (no immediate action required, just wanted to drop it so it's seen by others).
21:05:23 <silwol> that's all from my side.
21:05:36 <silwol> any other topics?
21:05:57 <wookey_> not from me
21:06:16 <f_g> silwol: looks similar to the wiki.d.o page: https://wiki.debian.org/Teams/RustPackaging ;)
21:07:04 <silwol> basically yes, but more structured and better-looking.
21:08:31 <f_g> :D
21:08:37 <silwol> although I'd say our page contains much more detailed information than required for a newcomer. I also really like the short list of helpful links for daily packaging tasks that is easy to spot.
21:08:57 <f_g> would not hurt for sure, just needs to be kept updated as well..
21:09:10 <f_g> (I don't have any other topics either btw)
21:09:22 <silwol> ok, then I'd say we close the meeting.
21:09:28 <silwol> thanks everybody, see you next time!
21:09:32 <silwol> #endmeeting