I agree that upper bound version dependencies are not good. Some people can get a lot too strict with it, creating all the problems you've laid out. Still, I don't think the solution lies with abandoning upper bounds, but with more education on the part of developers as to when they should bump versions and what version ranges they should depend on. What I would advocate is make it the official policy of Hackage that all package maintainers adhere to semantic versioning. http://semver.org
Under this system, which in practice is already the norm, you could declare that a package requires at least foo-3.2.* (which provides some new feature 3.1 doesn't) and at most 3.* so that you don't catch a non-backwards-compatible update. No package version should change its dependencies after the fact, contrary to +Leon Smith
, because what if someone depends on your
package? They're screwed because it introduces ambiguity into the dependency graph. No, bumping dependency versions, which should happen less often under semantic versioning, should require a bump to your PATCH version. Otherwise how are people supposed to know to upgrade?
It is the decision of a few developers to ignore this standard that causes everyone else grief. Everyone must work together for this scheme to succeed, so they must be made aware of those mistakes to correct them. Developers also need to make sure their versions mean what we think they mean, otherwise it's chaos all over again.In summary, it should eventually be Hackage policy to disallow upper bound dependency versions more specific than a MAJOR version. This should drastically improve the situation.