Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have encouraged to add this in the past, and at least prior to recent activity the other day the MSRV was actually much lower IIRC, although now a dependency update was merged that definitely bumped it notably higher 🤷♂️
This could be lowered before the next release, but I don't have time to go through the process again of minimizing the MSRV.
Since this is an area @epage is quite familiar with, should
rust-versionrepresent the actual MSRV? (which I believe we had verified for 0.13 at least via CI with a msrv focused lockfile)Or should it represent the MSRV that you could get from say
cargo-msrvand/or relatedcargocommands (not sure of the status of the msrv one that I recall required nightly), without any lock file assistance?I recall encountering a variety of scenarios where
rust-versionwas either inaccurate, or the lack of it (along with some other toolchain version specific parsing gotchas) complicated installing MSRV compatible dep versions.For example (from memory):
rust-versionwasn't bumped accordingly.hashbrown? Chose arust-versionthat was only valid if you opt-in to a feature for one of their dependencies which didn't haverust-versionconfigured.edition(despite what I recall official docs saying) enforces a minrust-versionimplicitly, sorust-versionis effectively a granular offset from that?rust-versionrather than just major.minor, even if that's not necessary.rust-versionis only accurate without a lockfile for a published crate provided the dep chain respects that with their own releases/dependencies. Notably whenrust-versionisn't used throughout the dep chain?The maintainer of this repo tends to have the habit of updating deps and raising the MSRV when that no longer installs deps successfully. That's historically also been when dev dependencies only needed for CI testing introduce the bump.
That doesn't really match my impression/expectation of what the
rust-versionhere should be, but I understand why that's their approach out of convenience / effort required to maintain it.Regardless, if this change is applied,
editionmay as well be bumped to 2021 too, likewise to 2024 when that's out and this gets bumped again (even though it may be unnecessary). Which I assume may negatively impact those with older toolchains, especially when the crate could be supported on an older toolchain release just fine (last year IIRC a contributor was insistent on keeping 1.65 support?).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An MSRV should be verified. If a
Cargo.lockis known to contain MSRV compatible dependencies, then existing CI jobs with latest rustc should be sufficient forcargo testwith just acargo +<msrv> checkjob (can be automated withcargo hack).This verification usually means that the lockfile and all parts of the projects are usable with the MSRV. There are more advanced / specialized cases where people do otherwise.
The opinion of at least some of us on the cargo team is that "support" in MSRV is a matter of policy and not syntax, so it doesn't have to be what
cargo msrvreports but its a a matter of what you are willing to test and workaround.As for dependencies, so long as there are resolvable dependencies that pass your tests, your MSRV is satisfied and you do not need to bump MSRV just because a new dependency version is out that uses it, unless you are choosing to update your dependency.
There are more advanced cases where a feature may raise an MSRV but those should be exception cases. A user, or an MSRV-aware resolver (which no one disputes should happen; they only dispute defaults) will only have
package.rust-versionto go off of so that should generally be used to represent all interactions with the project.For 1.0+ crates, I'm thinking of reserving MSRV bumps for minor versions and offering a certain level of support for previous minor versions, accepting cherry-picks of fixes to every prior supported version. I'm somewhat tempted to say that my MSRV policy applies to that version and that
mainspackage.rust-versionwill be as low as that version but may be updated to newer versions when a maintainer-defined reason requires. This would allow me to give faster turnaround for features dependent on new toolchains while offering support for people on older versions.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's what happened recently by the project maintainer.
More information: #494 (comment) (NOTE: MSRV was bumped recently, before the rebase to pass CI and merge)
In the above case:
rust-inimade a release with a dependencyordered-multimap 0.7. If you used this dependency at the time all was well.ordered-multimap 0.7.1was published with a change implicitly raising MSRV.rust-versionwas not used, this would be resolved for that samerust-inirelease and fail on the same toolchain version that worked before.rust-versionbeing present forrust-ini, since it would have occurred after release and the change was out of their control.Just an example of what I've seen in the wild. I expect it to be less of an issue if
rust-versionbecomes more widely adopted 👍I don't quite follow what you're saying here 😅
I was referring to
config-rsrelease branch0.13:rust-versionnot be set higher)Recently a new release was requested and that was promptly resolved with
0.14, which raised the MSRV considerably (there were several bumps made prior, all unreleased though).I observed
0.13was still receiving point releases (before0.14at least, whilemasterwas still developed on separately). Not sure howrust-versionshould behave differently there with0.xvs1.xwith what you've said? (support for previous minor versions, cherry-pick fixes to prior versions)I have also witnessed other crates rollback / relax their
rust-versionin newer releases.My understanding of
rust-versionis it can be helpful when you need to resolve deps compatibility for earlier toolchains (within the 3 year window of anedition), provided it's used throughout the dep chain and is accurate.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ultimately an MSRV is up to the maintainer and not just what
cargo msrvcan do. "Support" is an active process and not syntactic.However, it sounds like MSRV bumps are happening because of new dependency releases. This is futile. A package and its transitive dependencies are independent. You can go a year without a release of config-rs but new dependencies come out. A person could be stuck on an old config-rs due to MSRV but new dependencies come out. A package should not be maintaining an MSRV on behalf of its dependencies.
The main distinction with 1.x.y vs 0.y.z is that 1.x.y allows room for patches to previous versions within a stable release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, but that is the scenario where
rust-versionbreaks when any dependency doesn't adoptrust-versionbut resolves to a release that is no longer compatible with thatrust-versioncorrect?For the
rust-versionfeature to work reliably, one must know that all deps have declared that accurately with their releases?Right, but if you're referring to this with the crate version, what is the relevance to the
rust-version(eg:1.56.1)? My original question was aboutrust-versionmost of the time is probably fine withx.y, and rarely should need a patch version declared?I could see something like dependabot updating that, given how it does with
Cargo.tomlfor crate deps presently (patch versions bumped when that shouldn't be necessary).I'm not sure if there is currently or will be some guidance page for crate authors with setting
rust-version? As with the various examples of it going wrong mentioned above, I'm sure it can be confusing or questionable in value that it affects adoption :(I think
rust-versionsounds great, at least when it works reliably.