How should I declare versioning dependency of cryptography?

[rayluo]

I'm a maintainer of some other libraries, which would take a dependency on cryptography. What versioning scheme does cryptography use? Seems not Semantic Versioning, because I see many "backward incompatible" changes without major version bump. Then, how should I declare (the upper bound) of versioning dependency of cryptography in my downstream library?

cryptography>=0.6,<???

[reaperhulk]

Cryptography's deprecation policy is documented here: https://cryptography.io/en/latest/api-stability.html

We do not use semantic versioning, correct. Our versions are strictly monotonic.

[rayluo]

Thanks for providing your official document on your versioning. Based on your versioning scheme, there is no stable way for downstream libraries/apps to declare their dependency to cryptography. They have to update their "floating dependency" each time cryptography releases a new version.

Out of curiosity, what is the benefits of your "custom versioning scheme"? What did it intend to solve?

[alex]

Our API stability policy is based on Django's https://docs.djangoproject.com/en/3.1/misc/api-stability/, which has been successfully used for well over a decade.

[rayluo]

Thanks for referencing to Django. Now I can see Cryptography and Django have same Api Stability concept (which is of course a good concept), and I can see Django 1.x uses a similar versioning scheme.

However, IMHO, that good Api Stability concept does not necessarily mean to use the "breaking change will likely happen at version X.Y+2.Z" scheme. One project could follow the same good Api Stability policy and still use Semantic Versioning, which is designed to allow downstream applications to declare dependency easier. Even the Django 2.x slightly shifted toward Semantic Versioning.

SemVer makes it easier to see at a glance how compatible releases are with each other.

[reaperhulk]

Security libraries live in a weird space where attempts to minimize the compatibility problems shift enormous burden onto the library itself to either never deprecate things or ship dozens of releases across a variety of "supported" branches to ensure users who have pinned receive the security updates they will otherwise miss by capping their upper bound.

In practice most of our compatibility breaks are dropping old versions of Python (which pip will automatically handle), old versions of OpenSSL/LibreSSL, or unusual edge cases in APIs that people rarely use. In the rare case that we deprecate/remove an API we know is in use we typically end up leaving it in place for 2-4 years to provide ample time for migration. Over the 7 years and > 600 million downloads we haven't seen our policies to be a problem in the real world, so our advice is ultimately: don't pin your upper bound. Users can receive security updates, a critical thing for a cryptographic library, and the likelihood of breakage is low.

[rayluo]

OK then, I get your point on the two "enormous burden", and your (not so) subtle statement "we do not attempt to minimize the compatibility problems". :-)

If I understand correctly, a different versioning scheme makes no real difference here.

• People who are not aware of cryptography's CUSTOM versioning scheme, would still declare it in SemVer way anyway (Example), so they ended up just pinning an upper bound for no real gain.
• People who become aware of cryptography's custom versioning scheme but still choose to guard against a potential breaking change, would declare upper bound as "X.Y+2", which ends up overly-restrictive than if SemVer were in use by cryptography.
• People who take your advice to not define an upper bound, then there would be no difference, regardless of what versioning scheme cryptography chooses.

So, the reason you stay away from SemVer is more on a philosophical level. The SemVer emphasizes on solving the compatibility problem so it encourages setting an upper bound; Cryptography is the opposite here. Fair enough.