We Need a Standard for Open Source Package Requirements - Elitsa Bankova & Eve Martin-Jones, Google

Описание: Don't miss out! Join us at the next Open Source Summit in Hyderabad, India (August 5); Amsterdam, Netherland (August 25-29); Seoul, South Korea (November 4-5). Join us at the premier vendor-neutral open source conference, where developers and technologists come together to collaborate, share knowledge, and explore the latest innovations and advancements in open source technology. Learn more at https://events.linuxfoundation.org/

We Need a Standard for Open Source Package Requirements - Elitsa Bankova & Eve Martin-Jones, Google

What does a version specification look like? Most would say that one looks something like “1.2.3”.

But what does a requirement look like? That is a more complicated question and answers vary and depend on which packaging ecosystem —Maven, Cargo, PyPI and so on— is involved.

While Semver 2.0 offers a generally agreed upon syntax for versions, there is no standard for requirements.

Understanding how requirements work is required for addressing issues such as vulnerabilities and license conflicts. The absence of an agreed-upon requirement specification limits the ability to understand the problem and limits the sharing of tooling across ecosystems.

Deps.dev has looked at the way requirements are specified in five ecosystems and translated them into a single set representation that enables unified tooling. We’ve discovered many ecosystem-specific quirks, but also discovered much commonality we can build upon.

This talk will define the essence of requirements, demonstrate how they are incompletely met by various existing systems, and most importantly we will argue that a well-defined, well-supported requirement specification is vital to the industry.