[FEATURE] Versioning and automating versioning #468
Comments
|
Hey @fpliger just let me know what the versioning format will be, and I can do the work to get a release model going somewhat quickly. Is it YYYY.MM.DD? Is there a major or minor version in there? That's pretty much all I need to know. |
|
I'm not sure if the ship has sailed on this one, but are you sure that it's a good idea to depart from semver? Every other JS project uses semver, and there is a lot of tooling built around the assumption that packages follow this convention. This, for example, includes security tooling in package managers that help devs detect and manage vulnerable packages. Tools like Semver also allows package authors to e.g. release a critical security update for the old @fpliger In your reasoning for going with calver, you mentioned this:
The usual convention here is to simply start the version number at Either @sugatoray's hybrid proposal of I think the convention is so strong and relied-upon across the ecosystem that there needs to be an extremely strong argument made against at least having a semantic leading digit. |
|
Regarding this part of this comment:
I don't really understand - if the user has written some PyScript code, then don't they just care about breaking changes to PyScript? So the "contract" with the user can just be a single version string like |
|
@josephrocca , thanks for your feedback here and sorry for the slow reply here... I wanted to make sure the rest of the core team is aligned after the points made in this thread.
That's sort of an industry problem that should be fixed upstream. The decision of adopting In general, we'll always try to keep backwards capabilities and add deprecation cycles when we change API (when possible) but realistically, anyone using PyScript today should understand that it's in Alpha stage. After so many years in the industry, also working closely with package managers, repository and package building teams, I believe that the main overall change tat should happen is fact is that users should always upgrade versions carefully and have tests to make sure upstream new releases don' break their code (from patch to minor and major releases). The discussion and links in # 337 are also relevant
Wouldn't that be trying to squeeze As the project matures things might change. PyScript itself will probably change and we can re-evaluate the framework and related tools (including version conventions)
No worries, it's probably a lack of setting the context on my side. This is really me thinking about a possible future development for PyScript components APIs and so... Probably better to keep it on the back burner for now, until we have a good use case. |
|
I've added some explicit question markers as (1), (2) and (3) in the text below to help organise the key points that I'd love to get answers on, if that's okay!
Such a strong promise is not necessary for the key utility of semver to be realised - "perfection" is not needed, and the automated tools are never used without human supervision. It's simply that having markers for large/likely-breaking changes is useful - and not just for the automation tooling. E.g. this example that I gave in my previous comment:
(1) How does calver handle this sort of thing? It seems like patch/fix releases for older versions would be less legible and harder to manage. Funadamentally, having major versions forces projects to be respectful of the ecosystem that surrounds the project - breaking changes are generally "saved up" until there are enough for a major version. This allows the ecosystem around PyScript to move "in step" with it much more easily. Things in the ecosystem can target/support a major version of PyScript, and the support matrices (even if not explicit) remain "sane"/manageable. Breaking a convention incurs a cost that is proportional to the strength of that convention within the ecosystem. The semver convention within the web ecosystem is quite strong! (2) Is there really a strong enough reason to break this convention? If there were strong benefits to using calver, it might be worth it, but what's the strong benefit here? If it's because you need to be nimble in these early stages of the project, why not just stick with (3) All listing of versions in package managers / Github releases / etc. have dates beside the version numbers. I.e. users can easily see the date on which any particular version was published. Is there any reason to include this date within the package version itself? Why not use that "real estate" to indicate some useful information about compatibility (again, it doesn't need to be perfect - just best-effort to help ecosystem). Thanks for taking the time to reply! |
Given a CalVer number like
[Including both 2 and 3 since I believe they are both addressed below] Overall, I'm sorry this choice may not make everyone happy (definitely a hard goal) but ultimately the maintainers team needs to make decisions based on their experience and what's best. The Thanks for the feedback and for taking the time to express your concerns, we really appreciate it. Hope you can understand. 🍻 |
|
Thanks for your reply :) It seems like a bad decision to not at least try to "group" breaking changes and to make those attempts explicit in the version string, and I can't see a strong reason to go against the ecosystem's package convention here, but like you said, it's hard to please everyone. Thanks for patiently responding to my comments - PyScript is an exciting project and I'm rooting for it! 🍻 |
|
I agree that being able to deploy security fixes to old releases is critical, but as fabio said That said, the main difference between calver and semver is that both introduce breaking changes but semver gives the false security of being able to do upgrades effortlessly, which is most often a false claim for a software of the size of pyscript, at least in my experience. This principle is well explained by the Hyrum's Law:
By using calver, we as a team are basically acknowledge that we cannot maintain any promise between versions: we could get the same result by using a new major number for every release, but here we are just being very explicit about it. This is of course very different than saying that we will consciously break compatibility at every commit: we will try to preserve backward compatibility, provide deprecation warnings and migration paths when possible and when it makes sense. Simply, we are not promising anything, which means that if you want to distribute your app, you should just pin the full version of pyscript. |
|
Happy to keep discussing this if my feedback/thoughts are useful here.
The disadvantage here is that you have to release a fix for every month, versus just for major versions. If you expect to release new breaking changes roughly every month then I agree that this isn't an issue with calver. And if the PyScript contributors try their best to cluster API changes into "distant" releases (as opposed to scattering them whenever, I mean), then that makes calver almost as good as semver in this respect. Semver just tries to make the organisation of breaking changes more explicit.
I don't see why a major version number isn't explicit? It's arguably more explicit to use semver here because that's what the rest of the ecosystem uses - i.e. it's a convention that's very well understood by developers. What does I want to re-emphasise that it's completely fine to bump the major version very often. Bumping the major version involves a judgement call based on the number of users your project has, and the "size" of the change, but I think there are clearly changes which don't require a major version bump, and there are clearly benefits to delimiting and clustering likely-breaking API changes. There is of course a grey area, but we ought not to throw up our hands because we can't get perfection here. It's worth considering trade-offs rather than aiming for "perfection or nothing". If in doubt, the major version can always be bumped. I think a key question at this point in the discussion is: Does calver have any key benefits to just bumping the major version for every release? Is it useful to have to date in the version given that dates are always listed next to releases? And if there aren't significant benefits but the team doesn't want to make any promises at this stage, why break the convention here versus just bumping the major version with each release? I suspect that the team would find that, in fact, there are some releases where no major version bump is practically needed - e.g. tidying up and refactoring, "well-contained" bug fixes, performance optimisations, etc. but semver seems like a better choice even if that weren't the case given the existing strong conventions in web package management. |
Personally I think they are useful and it's always good to hear different opinion. But at the same time I think this is getting more and more a "philosophical" debate and as such it is less likely to have an impact on the actual decision.
that's the main point of disagreement. I (we) think that even changes which look innocent might be backwards incompatible. So we declare beforehand that all versions are potentially incompatible.
yes, it removes the burden to think about version numbers. |
Is this the only benefit of calver? If so, why not just auto-bump the major version on every release (or use |
can you elaborate on that? What kind of incompatibilities calver would cause? |
|
Sure! Basically all packages in the JS ecosystem use semver, and a lot of the tooling in the ecosystem has come to be built upon semver, including all the most popular tools - e.g. npm: https://docs.npmjs.com/about-semantic-versioning I don't think I've ever seen calver or any other versioning system used in JS/web projects - semver has become a very strong convention. As a concrete example example the |
|
So if I understand correctly, the problem is that e.g. |
|
In the particular case of But note that this is not an npm-specific thing - rather, it's a web ecosystem thing. For example, IDEs, including newfangled and beginner-friendly web-based ones like Glitch have inbuilt tools which lean on semver package versioning. |
|
Framework for release automation in #521 |
|
thanks @pww217 !! Before closing the loop on this one, I want to make sure we covered one thing. @josephrocca you mentioned that adding a major digit in front of |
|
@fpliger in semver, starting the version with
https://semver.org/#spec-item-4
As an example, if the npm version of the package is I've just looked into how people fit calver into semver for npm/packaging compatibility, and it looks like the one approach is to use "prerelease" tag (basically a string/tag after a hyphen at the end of the semver number) to house the calver: SemVer doesn't allow leading zeros in any of the 3 version numbers, so I think the leading leading zero of single-digit months would need to be dropped. I think another possibility (that avoids use of prerelease tag and keeps leading zero on month) is just: |
|
Just leaving this here since I've been burned by software in production that had leading zeros: https://0ver.org |
|
@jezdez Can you share how you were burned, and what might have prevented the problem in your case? Potentially worth emphasising that the leading zero 'means something' (i.e. no promises made RE public API yet) in the JS ecosystem to the devs and all the popular tooling, so if the burn had to do with confusion around the implication of the leading zero (in a non-JS ecosystem) then it might not be as relevant in this case due to the strong conventions. |
|
I still don't see any benefit from adding a 0. Just trying to fit My question is more specific/explicit: Is there any benefit from the tooling point of view? Because from the semantic point of view, adding a In term of tooling. Updates will mean different things than |
There must be a misunderstanding here because I thought I answered that specific question here:
From a semantic point of view, within the web ecosystem, adding the leading zero is probably better because the established semantics across the web landscape are such that the leading zero implies exactly what you're trying to imply in this specific case: No promises RE API stability.
Agree 100% - and after thinking about this a bit (and after reading this): Since That would ensure that when people install your package, it is exactly pinned by default. NPM is the defacto package manager for the web (analogous to PyPi), and publishing there will automatically publish your package to several global highly-trusted and robust CDNs like jsdelivr, unpkg, etc. - so it definitely makes sense to publish your package to NPM. And since NPM requires semver, it makes sense to be compliant with semver "rules" when publishing. So you could use calver on Github and for internal tracking, but then publish the NPM version in a specific format (like above) that doesn't "break" normal NPM functionality. There are some popular JS projects that do this sort of thing - e.g. three.js uses a single number for their version (just increment every release), but they publish to NPM as |
|
Wrapping this up here #539 Assuming it tests through alright, we'll be set for the time being. |
|
Thanks @pww217 @josephrocca I want to wrap this up in a good way since I really appreciate your thoughtful comments on all of that. I've just checked with the core team/maintainers again to make sure if they wanted to change anything given all the feedback. The tldr is that not much has changed or has been added to the discussion in a way that changes the reasons of why choosing Thanks again for the discussion! |
True! Will be weird to start incrementing from 2022/2023 upwards and away from the actual current year, but not really a big deal.
Yep, it's not "required" in the sense of impossibility, but rather in the sense that it breaks default behavior of I can't say I really understand why, if you are using any particular package manager, you wouldn't just publish in a format that that package manager understands, since it doesn't affect the actual versioning that you use internally, but your team seems dead set on this and I've done the best I can to communicate the damage it's likely to cause here regarding the default caret with All I can say now is: Thanks for your patient discussion, and I'm really rooting for you and your project! I'm excited about what you, the Pyodide team, the JupyterLite team, and others working in the "Python x Web" space are doing. So many thousands of person-years have gone into the Python ecosystem, and suddenly unlocking a barrier between it and the web is going to be super valuable to both the web and to Python ecosystems. I can't speak from the Python side of things, but I don't think many people on the web side of things understand just how significant this "unlock" is going to be. Deeply thankful for your work on this - exciting times ahead! 🚀 |
I'm afraid I don't understand this point, so I'll as you to be patient here. The caret (aka hat) symbol, ^ , is used by default when you npm install --save a package. So, if you npm install pyscript it'll save, let's say "^2022.06.01". “^2022.6.1” would mean they’d get the latest 2022 version and after that, they'd need to manually bump the year version. It's a semantic change, not really break to the only "default behaviour". Right?
Thank you for the kind words. I share the excitement for the times ahead and hope we and other communities can indeed improve the "Python for the Web" ecosystem :) |
Yep, that's correct. The problem here is that if, let's say, the dev publishes their code to Github, and another dev (or the same dev in the future) It's possible to avoid this and get desired "exact-pin" default behavior by publishing to npm as
Of course, happy to help! |
|
Ok. That's exactly what I thought. Just to say it explicitly, by choosing Thank you again! |
|
Ah gotcha, yep if you're only introducing breaking changes on yearly (i.e. "major") releases then the example I gave is not relevant at all - |
|
closed by #539 🚀 🎉 🎉 🎉 |
Is your feature request related to a problem? Please describe.
The decided-upon versioning scheme is calver. To cut our first proper release, we'll need to settle on a final format for each version (ie is it simply YYYY.MM.DD?) and a way to deploy it, ideally with change notes and information for consumers of the build and a list of contributors for each release, if we want.
This issue is to discuss different methods to format versions and handle their release.
Describe the solution you'd like
Once the tagging format is decided on, we just need to work through what steps in the release process need to take place and what should be automated vs manual. This is the process as outlined by Github. We could do anything from a fully-automated release to a hybrid of some manual and some generated release notes.
I'll be doing more research on this over the next week and updating this issue as appropriate.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: