jwdonahue
commented
3 years ago What follows does not in any way represent the views of the SemVer maintainers. I am not a SemVer maintainer. I've simply got some skin in the game as a tool builder and long-time interested party. I also have some experience developing and testing network protocol stacks and components at various layers of the internet protocols.
I would like to address this question, in the context of YANG/NETCONF:
Is it acceptable to bump the major version number even if the module does not contain any NBC changes?
And its corollary:
Is it acceptable to bump the major version number if there are no changes at all?
The terminology around YANG versioning is unfortunate. NBC? Non-Breaking-Change or Non-Backwards-Compatible? The SemVer terminology is Breaking Change and Non-Breaking Change or Backwards Compatible Change. I'll simply use Breaking Change and Compatible Change here.
For the purposes of this post, I'd like to rephrase those two questions as:
- Is it acceptable to bump the YANG version number when there have been no changes?
- Is it acceptable to bump the YANG major version number when there has been no Breaking Change?
I believe these are distinct and overlapping concerns, and I have been answering one form or another of them, over and over for years.
There is much YANG/NETCONF detail that I am likely unaware of, so I'll state some assumptions before continuing:
- Network devices tend to dial-home to check availability of updates, based on their current version number.
- Code packages are pulled from a variety of services like NPM, Nuget, Crates, etc.
- These are published by developers with variable development, test and release practices, some of whom are unaware of NETCONF/YANG.
- Network API's and data structures MAY be versioned independently of any packages of implementations.
- These are used for device status and control purposes.
Starting with assumption 1, I think it is safe to say that any frivolous version bump is unacceptable, given the bandwidth consumption, any device down-time during an update, and the associated risk to device integrity inherent in any update. Now consider common DevOps practices; where potentially thousands of builds occur every day, and it is common practice to bump the patch number and modify tags for each and every one of those builds. Such environments often have highly distributed and parallel builds, that may include some duplication where it is cheaper to build it from the local repo, than to pull it from an artifact store.
Now, build systems do tend to be gated at some point, to prevent too much chaos from leaking out of their build labs, but not everyone of them is capable, or willing to prevent all possible modes of extraneous version bumps. So my advice wrt to question 1 and assumption 1 is; no it's not acceptable, but it can't always be avoided, so any spec language on the subject; SHOULD advise against it, but can't possibly prohibit it.
That leaves us with Q2 wrt A1. Is a frivolous bump harmful in that case? I would argue that it probably is not. Any automated update scheme should prevent taking breaking changes without explicit human intervention, so the impacts are likely quite low. Again, we should consider common developer practices. It's not uncommon for a developer team to spin up vNext, by bumping the major version, making some tooling updates in preparation for the coming sprints, and then test that build system by generating an artifact that has a major version bump AND contains no product changes. They would then test that system by enabling their test devices to consume that package and verify that nothing was broken by the tool changes.
Again, best practices, requires a strong gate between the internal systems and consuming public, but not everyone follows best practices. I have worked on projects where we had large groups of early adopters at every step in the development chain. We would always do our best to prevent non-members of a specific ring from accidentally consuming our pre-releases, but when you have any kind of early release scheme, there is always some leakage.
So I don't believe it is desirable to prohibit frivolous version bumps wrt to assumptions 1 & 2. We should certainly discourage frivolous releases of minor and patch bumps, but allow and even expect them for pre-releases.
Moving on to assumption 3...
Here's where the details really come into play. The simplest setup is a single server, servicing a single API, call it ServiceX. A major version bump of ServiceX breaks all clients and requires them to update. This can be very costly, so we should avoid any frivolous major version bumps, but should we prohibit them entirely? What if I have thousands of clients running in the range 1.y.z, and an exploit is found that affects all but 1.yN.z where N might not be the highest possible Y? Let's just say that I have potential liabilities if I allow the update laggards to continue using their clients, and there is no change to the service code that could possibly fix the problem, but the service is an integral requirement for the exploit.
I can assure you that no MUST phrasing in a spec is going to stop me from bumping ServiceX to 2.0.0 and forcing my customers to update their clients in order or discontinue its use. I understand the need for tight specs and abhor unnecessarily vague statements, but it is really hard to write a tight spec that is also practical, when there are more than one stakeholder in the mix. In this case, it's really easy for me to say that YANG-SemVer and SemVer itself, MUST not ever attempt to prohibit a version bump for any reason whatsoever.
The SemVer spec requires version bumps under specific circumstances, but does not prohibit them for any other reasons. The main reason for the limited scope of the spec in this regard, is that it's just not possible to imagine all possible use cases and the bandwidth available in the SemVer string is extremely constrained.
It's been my experience that interacting sentient agents tend to punish or ban ecosystem members who do things that harm them. I can understand the distain for version bumps driven by marketing departments for no reason other than to rev their own propaganda. At the same time, I don't think there's many of those departments left, that haven't gotten the message from their customers, that frivolous churn in automated systems is dangerous and wasteful. I know there have been a few obnoxious cases here and there, but I haven't seen any evidence that it's a major ongoing problem.
rgwilton
xorrkaz
Is it acceptable to bump the major version number even if the module does not contain any NBC changes?
A corollary to this is: Is it acceptable to bump the major version number if there are no changes at all? E.g., bump the API version when a new major product version is being released?
A second corollary is: Does the same logic apply to minor version changes. E.g., can the minor version number be bumped if only editorial changes are made.
Somewhat related to https://github.com/semver/semver/issues/475