[cgiapp] optimal way to define prereq versions on CPAN? (was: Re: CGI::Session)

Mark Stosberg mark at summersault.com
Fri Jul 8 10:48:10 EDT 2011 

> Module dependency minimum versions are one of the areas that has become a
> really irritating part of using CPAN for me. If an author *knows* they need
> some minimum version of something else, maybe because previous versions
> lacked a feature they need, then I'm all for including the version. I'd even
> allow that, in most cases, there probably *is* some minimum version that's
> needed. What bugs me is the auto-generated minimum version requirements get
> put in there based on what the author happens to have installed... they're
> rarely even technically needed - it just happened to be what the author was
> using when they built the module.
> 
> In your example, why would Data::Dumper V 2.123 not work with this module?
> or one of far lower version? Just a hunch, but I'm betting they would... so
> why force everyone to update all those other modules to what you happen to
> have installed?

It seems like what we really wanted to express is:

    "tested with? 4.23"
    "actually require? Unknown"

Since it's time consuming and tedious to figure out a true minimum
version required, the authors sometimes do something they know will
work: specify a version that they know works.

Some have mentioned the role automated testing might play here. This
assumes that the automated tests will actually exercise the differences
that would cause an older version of a dependency to work, but a newer
version to fail. Perfect automated test coverage can't be assumed.

Perhaps there's a way the build system could allow authors to express
that that there are specific versions of dependencies that they know
work, but that they don't actually know what minimum versions work.

( And continue to allow them to specify true minimum version
dependencies if they do know them ).

Personally, like Ron I'm more comfortable specifying a version that I
know works-- I'm conveying some useful information that could help you
get it installed. If it doesn't work for you *and* you don't know what
versions of dependencies I used, you may have a very hard time figuring
out which combinations of things worked.

If I set "no minimum version" on everything and the tests pass, you can
only hope that you don't get bitten by a nasty surprise later when you
run into an issue a different version of the dependency that the
automated tests didn't catch.

It's also somewhat about who does the maintenance work. If I have used a
newer version of a module and you want to keep using an older version,
it's reasonable that, you, not me, complete that testing and report the
result that old version still works, since you care about that version
and I don't.

    Mark

More information about the cgiapp mailing list