Is it PVP conform if a package leaks orphan instances or not depending on the versions of its transitive dependencies?

[sol]

Somewhat related to #23, let's look at the following scenario:

• package foo-0.1.0 adheres to the PVP
• an new version of foo adds orphan instances and adheres to the PVP by bumping it's version to 0.2.0
• package bar depends on foo

Technically, bar could allow both foo-0.1.0 and foo-0.2.0, but that would mean that bar would sometimes leak orphan instances and sometimes not depending on what version of foo the dependency solver picks. For this reason my naive assumption was that this is not PVP conform.

However, I realized that the PVP does not really state that this is not allowed.

If again, however, we look at the FAQ, then we read:

It’s the responsibility of the provider to guarantee that the exposed API is a function of the declared version, and in particular does not depend on the versions of its transitive dependencies, as this defy the purpose of the PVP.

Does this statement apply to orphan instances?

Or in other words, for the scenario given above: Is the constraint foo >= 0.1.0 && < 0.3.0 PVP conform?

[bergmark]

Good question.

Does this statement apply to orphan instances?

I can't say for sure what the intent was when this was written, but I think it does.

I think a question to ask is: If baz depends on bar (but not directly onfoo), can baz break depending on which version of foo is picked? It's bar's responsibility to make sure that doesn't happen by conditionally re-defining any re-exports from foo (incl. instances), or by restricting the range of versions allowed.