> Sort of repeating my earlier question, but how often does this happenin reality?
From a quick check in our repo we have patched about 1% of our packages to remove the constraints. We have close to 2000 Python packages. We don't necessarily patch all the constraints, only when they collide with the version we would like the package to use so the actual percentage is likely higher.
Larger applications that have many dependencies that are fixed have been kept out of Nixpkgs for now. Their fixed dependencies means we likely need multiple versions of packages. While Nix can handle that, it means more maintenance. We have a tool that can take e.g. a requirements.txt file and generate expressions, but it won't help you much with bug-fix releases when maintainers don't update their pinned requirements.
> And how often is it that a simple request/PR to the package author to remove
the explicit version requirements is rejected?
That's hard to say. If I look at what packages I've contributed to Nixpkgs, then in my experience this is something that is typically dealt with by upstream when asked.
> If you *do* get in a situation where the package explicitly requires
certain versions of its dependencies, and you ignore those
requirements, then presumably you're taking responsibility for
supporting a combination that the upstream author doesn't support. How
do you handle that?
Typical situations are bug-fix releases. So far I haven't encountered any issues with using other versions, but like I said, larger applications that pin their dependencies have been mostly kept out of Nixpkgs. If we do encounter issues, then we have to find a solution. The likeliest situation is that an application requires a different version, an in that case we would then have an expression/package of that version specifically for that application. We don't have a global site-packages so we can do that.
> Nick said he wants to guide authors away from explicit version
pinning. That's fine, but is the problem so big that the occasionalbug report to offending projects saying "please don't pin exactversions" is insufficient guidance?
The main problem I see is that it limits in how far you can automatically update to newer versions and thus release bug/security fixes. Just one inappropriate pin is sufficient to break dependency solving.