Recommended Minimum Rust Version

I'm observing rust-bitcoin's struggles trying to stay conservative with minimum rust compiler version - as they want to support Debian Stable and generally have to be conservative about everything due to the nature of Bitcoin, and it makes me wonder if at some point we could introduce a concept of "last compiler version, we recommend all mature crates to still support".

After the codename for it is decided become visible as a target in rustup and other places (CIs, tooling, etc.)

The goal here would be to give everyone maintainers some recommendation for how far back they should support legacy compiler releases, and packagers (linux distributions, people embedding rust compiler somewhere etc.) some idea how long they can expect given compiler version to keep compiling stable and mature code.

This could possibly be graded, so the most stable and mature crates can meet the demands of most conservative and slow moving ecosystems (like Debian Stable), while crates that just can't get there yet, can still aim at some intermediate step.

Proposals like this come up every now and then, personally I really liked the style of this one. But so far nothing found consensus.

2 Likes

What is blocking the Rust/Cargo team from accepting and implementing https://github.com/rust-lang/rfcs/pull/2495? This would solve this problem without the burden of LTS releases.

6 Likes

Since security fixes in the Rust compiler or standard library are never backported to older releases, I would argue it should be discouraged to use anything older than the latest security fix release. That would currently be 1.34.2.

If it's discouraged to use a compiler/std with security problems, there is no need to write libraries supporting them neither.

Or are Debian backporting security fixes to the compiler versions they ship?

1 Like

Note that we do not make a point release for every soundness related fix. Point releases primarily arise when we are sufficiently far away from a new non-point release (if it is the 4th week it is starting to look increasingly unlikely) and when the bugs are serious enough (they don't have to be security related). I think most soundness fixes actually do not get their own point release. Therefore I would only recommend using the latest stable compiler.

4 Likes

True! And I fully agree.

3 Likes