> 2. a library that depends on dependencies A and B, both of which depend on X, can actually work properly if it needs to pass API objects created by X across between A and B, since X is of the same version

That feels like an advantage for the developer, not the distro maintainer.

I find that amusing, because you're saying it's easy if they can use one version of the library. Well, that's also true if they're writing an application, hence pinning.

> That feels like an advantage for the developer, not the distro maintainer.

It's an advantage for the ecosystem, yes. Not the developer of the library (X in my example), but a different developer. Someone who is trying to write an app to do something interesting with A and B.

> ...because you're saying it's easy if they can use one version of the library. Well, that's also true if they're writing an application

I don't think that's true.

Perhaps library A has pinned dependencies for X such that it is in conflict with unrelated library B that also uses pinned dependencies for X. Both libraries are now less useful to the ecosystem, because they are now inadvertently incompatible with each other (if their APIs expose X's objects).

My example demonstrates why this doesn't work in the general case, and therefore why it's wrong to expect that everyone does it this way.

Generally speaking libraries don't pin versions, applications do (in rust-land, a Cargo.lock is respected for the folder you're building, not your dependencies. A dependency can specify an exact version if it wants but an application can override that kind of thing, and it's generally not considered a good idea). This makes 2) a non-issue for the ecosystem (if an application needs to pass objects from X between A and B, then they'll need to pin to a single version of X). 1) is more of a disadvantage, but it's unclear to me that the effort distro maintainers put in to fix to a single version actually results in a reduction in effort overall.

One package's app is another package's dependency, so this distinction cannot work in the general case.

It can work perfectly well, at least as far as API/ABI compatibility. An app is an executable, a library is a static or dynamic library. Something isn't generally both at once (a project or package might have a library and some tool applications related to the library, but those tend to get split out by distribution package maintainers anyway, and with cargo there's always a top-level package which sets the pinning, the rest are libraries whether or not they're the top level in other contexts). If you're talking about IPC or RPC, then yes, this matters more in terms of compatibility, but that's an area where a lot more attention is paid to compatibility in the first place, by everyone.

Maintenance is much more practical when you use the versions upstream tests in their CI and not whatever mishmash of ancient/silently incompatible deps that each distro separately decides to combine together.

Upstream CI isn't magic that only they have. Distributions run the same tests upstreams do if they are made available.

If tests falsely pass, then that's a quality problem in the upstream tests.

No.

1. Rust is as hostile to dynamic libraries as glibc to static.

2. With everything static you have to rebuild every dependent on any security patch anyways. If you meant with multiple versions maintainers have to backport patches to multiple versions. Maybe don't backport at all? Some people appreciate having backports. Users of software written in Rust does NOT. So why bother doing backports for them?

3.

> a library that depends on dependencies A and B, both of which depend on X, can actually work properly

This will be detected during compile (since it's all static! sorry dynamic linking fans) and dealt with.

Dynamic libraries have had interface versions and linking strategies for decades.

For statically compiled apps, if the version is over specified recompiling will have no effect. The dependent will have to be updated with a new version string.

> Some people appreciate having backports. Users of software written in Rust does NOT. So why bother doing backports for them?

This is completely false. First and foremost, people who use applications don't care at all what language those apps are written in, and there is no "community of people who use Rust tools" that could have a different world-view from everyone else.

And beyond that, there is no one in the world who doesn't want backports, because it's never safe to just take the latest version of some piece of software and expect that everything will still work as expected. Having to take even a month of new features just because you need a security fix.

And note that Rust even at the language level has strong support for backwards compatibility and support for older versions. It's definitely not true that Rust people, even developers, live at the bleeding edge and don't need backports.

> This will be detected during compile (since it's all static! sorry dynamic linking fans) and dealt with.

If it is correctly detected, then the only "dealing with" that can be done is to fail to build.