MSRV in the future #7172
Comments
|
That <2% may very well be a gateway to a much higher amount of users using cryptography via packaged distributions. Packaged distributions tend to stay on a stable if not oldish version of Rust, although not too old, because the whole ecosystem is constantly pushing to adopt new versions of rust as well. Rust 1.48 was released Nov. 19, 2020 |
|
@simo5 is the concern for packagers the |
|
@reaperhulk I can talk for all distributions, but I can tell that in RHEL we simply can't handle a single fixed in stone rust version per major release (that's 10 years) at this time. The simple reason is that we need to ship Firefox and Firefox does not wait forever. I do not know how something like debian stable handle this. A distribution that freezes everything and only does security backports is not something you should be concerned about, they would freeze the version of cryptography as well. |
|
@simo5 Is there an easy way to determine what the ESR Firefox MSRV is? That would be interesting to understand. |
|
Actually, https://firefox-source-docs.mozilla.org/writing-rust-code/update-policy.html contains the information needed. Since current ESR is Firefox 91 this would appear to mean 1.51 would be acceptable? |
|
For Firefox 100 1.57 is required, so 1.51 is certainly acceptable |
|
uhm you are right on the ESR one though, and the new ESR I think will come out in early summer, so I predict in a couple of months at least 1.59 will be acceptable. |
|
A review of the PyPI download data suggests that it's very common for users to install our sdists with a rustc version installed from their distributions packages manager. These versions tend to be older (e.g. debian buster, supported for another 2 years, still contains rustc 1.41.0). While I am not advocating for no increases to our MSRV (I support the 1.48 bump that's coming in 38!), I do think we need to be a little conservative and probably can't be quite as aggressive as Firefox. |
|
We have the required input here. |
When we added Rust to
cryptographywe originally required arustcof >=1.45. Through initial feedback we dropped this MSRV to 1.41 to ease the transition. Time, however, marches ever onward. We will need to update it in the future (and in version 38.0 we've announced an increase in MSRV to 1.48). How conservative should we be moving forward?Some data: Wheels vs sdists
A very large percentage of our users obtain a wheel. Here is the last 30 days of downloads:
Within just the Rust-required versions (35+):
Due to the sheer volume of downloads even a less than 2% sdist rate results in nearly 2 million sdist downloads. It is that <2% (along with distribution packagers) who are potentially affected by choices around our MSRV.
Advantages of conservatism
Users who do not receive a wheel need to install a compatible
rustc. With newer version requirements the odds of needing to userustuprather than the system package manager increase. Ubuntu backports newerrustc, but most other distributions do not. Additionally, users who do compile (and do not use CI systems where newer rust is automatically installed and upgraded over time) will occasionally have their systems break due to an MSRV increase.Advantages to aggressive upgrades
Some potential features and performance optimizations are gated behind newer
rustcversions. For example, support for SSH certificate parsing could be added via ssh-key, except the MSRV is 1.57. Similarly, we've had multiple PRs to our own asn1 crate blocked by MSRV concerns:I am tentatively in favor of being significantly more aggressive in our MSRV, but Alex and I are both interested in hearing from the community.
The text was updated successfully, but these errors were encountered: