💾 Archived View for gemini.bortzmeyer.org › fosdem › event-10967.gmi captured on 2022-04-29 at 01:32:12. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-01-08)
-=-=-=-=-=-=-
Tom Mens
Type devroom
Can we trust depending on packages with major version zero?
Starts on day 2 (2021-02-07) at 11:30 (Brussels time, UTC+1) in room Dependency (duration 00:45)
Matrix room #dependency:fosdem.org
When developing open source software end-user applications or reusable software packages, developers depend on software packages distributed through package managers such as npm, Packagist, Cargo, RubyGems. In addition to this, empirical evidence has shown that these package managers adhere to a large extent to semantic versioning principles. Packages that are still in major version zero are considered unstable according to semantic versioning, as some developers consider such packages as immature, still being under initial development.
This presentation reports on large-scale empirical evidence on the use of dependencies towards 0.y.z versions in four different software package distributions: Cargo, npm, Packagist and RubyGems. We study to which extent packages get stuck in the zero version space, never crossing the psychological barrier of major version zero. We compare the effect of the policies and practices of package managers on this phenomenon. We do not reveal the results of our findings in this abstract yet, as it would spoil the fun of the presentation.