Bug #122522 for Module-CheckDep-Version: doc describes purpose incorrectly

Mon Jul 17 17:52:31 2017 zefram [...] fysh.org - Ticket created

Subject:	doc describes purpose incorrectly
Date:	Mon, 17 Jul 2017 22:52:20 +0100
To:	bug-Module-CheckDep-Version [...] rt.cpan.org
From:	Zefram <zefram [...] fysh.org>

In Module-CheckDep-Version-0.05, the doc says of check_deps(): # and either returns or prints to the screen a list of each dependency that # requires a version bump. This is incorrect. The code makes no attempt at all to determine whether a dependency "requires a version bump". All it determines is, as stated in the "description" section, "dependencies that have updated versions". It's determining whether a newer version of the dependency is *available*, not whether it's *required*. The documentation should be accurate about the function's behaviour. In addition to the bit that I quoted above, the clause in the "description" section about "behind in version" should be changed: I can't quite make sense of it, but it seems misleading. The documentation should really go further, and advise caution in how the result of the function is used. Since one side of the comparison being made is module versions that are currently available, one would normally expect the other side of the comparison to be module versions that were available at some earlier time, perhaps a list of module versions that one has audited. One would expect the list of module versions currently available to eventually make its way onto the other side of the comparison, causing the function to yield no results until there's a new release of something. But instead the other side of the comparison is the list of module versions that a module declares as its requirements. This is not a like-for-like comparison. It is totally normal for the minimum required versions of a module's dependencies to be very old versions, typically the version that added a critical feature or fixed a critical bug. It is not routine for this requirement to change at all, let alone to be bumped to the latest available version. So the behaviour of the check_deps() function, even without the documentation, seems to encourage users to repeatedly change the minimum required dependency versions that they declare, in order to get empty output from check_deps(), regardless of the actual requirements of their code. This behaviour would be damaging to the CPAN ecosystem. check_deps() maximises the damage by always encouraging bumping the declared dependency to the latest module version available, which will fairly often be a version that has some portability problem or stringent dependency of its own, which would be a bad thing to import by falsely declaring a dependency. So the documentation for Module::CheckDep::Version ought to warn the user clearly against this type of seductive but dangerous interpretation of check_deps()'s output. It should describe what kind of use can be safely made of the function. -zefram

Thu Jul 20 18:47:42 2017 steveb [...] cpan.org - Correspondence added

Thanks for the feedback. I have done some modifications on the documentation. Before I publish, would you kindly let me know what you think? DESCRIPTION WARNING: It is prudent to only increase the required version of a prerequisite distribution when absolutely necessary. Please don't arbitrarily bump prereq version numbers just because newer versions of a software have been released. This module was originally designed so that I could easily track prereqs that I wrote that my other distributions require. Again... please don't arbitrarily bump prerequisite version numbers unless there is a functional requirement to do so. For example, my L<RPi::WiringPi> distribution uses about a dozen other C<RPI::> distributions. If I update some of those (they are all stand-alone), periodically I want to check C<RPi::WiringPi> to ensure I'm requiring the most up-to-date functionality of the individual component distributions within the top level one that includes them all. See L</checkdep> for a binary script that you can use directly instead of using this API. You can also run C<perldoc checkdep> at the command line after installation to read its manual. This module retrieves all [http://cpan.org|CPAN] distributions for a single author, extracts out all of the dependencies for each distribution, then lists all dependencies that have updated versions so you're aware which prerequisite distributions have newer releases than what is currently being required. Can list only the prerequisites that are written by the same author, or optionally all prerequisite distributions by all authors. --- Here's the update to the docs for the sub: Fetches a list of a CPAN author's distributions using L<MetaCPAN::Client>, extracts out the list of each distribution's prerequisite distributions, compares the required version listed against the currently available version and either returns or prints to the screen a list of each dependency that has had newer versions published.

Thu Jul 20 18:47:42 2017 The RT System itself - Status changed from 'new' to 'open'

Thu Jul 20 18:59:50 2017 zefram [...] fysh.org - Correspondence added

Subject:	Re: [rt.cpan.org #122522] doc describes purpose incorrectly
Date:	Thu, 20 Jul 2017 23:59:32 +0100
To:	Steve Bertrand via RT <bug-Module-CheckDep-Version [...] rt.cpan.org>
From:	Zefram <zefram [...] fysh.org>

Steve Bertrand via RT wrote: Show quoted text

>I have done some modifications on the documentation. Before I publish, >would you kindly let me know what you think?

That looks good, thanks. -zefram

Fri Jul 21 09:34:56 2017 steveb [...] cpan.org - Correspondence added

Show quoted text

> That looks good, thanks.

Thanks zefram, closing.

Fri Jul 21 09:35:02 2017 steveb [...] cpan.org - Status changed from 'open' to 'resolved'

Fri Jul 21 09:35:07 2017 steveb [...] cpan.org - Taken

Fri Jul 21 09:35:08 2017 steveb [...] cpan.org - Fixed in 0.06 added