-
Notifications
You must be signed in to change notification settings - Fork 645
Discuss rules for api deprecation and our stability guarantees #1105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
I find this to be a very good idea, though I'd advocate that is should be used to deprecate an endpoint and not remove it.
Probably, at least for the sake of consistency. Moreover, this would probably allow for a more cohesive and flexible API.
The @cratesiostatus twitter account would be available for that, though it may not be popular enough atm. Maybe blog.rust-lang.org could be used for important announcements instead ?
I think instrumenting endpoints and being able to make choices based on the actual usage of the API would be a big step for crates.io. Reviewing logs might be possible now but it is too much error-prone to be relied on IMO.
Do you mean are we committed to always return a 200 HTTP status code for other routes ? I think no, the only thing blocking us from having "classic" status code is cargo. We should be committed to use the existing status codes in future endpoints though.
I would say that it is not OK to break those clients by removing a field, and that forcing a None value isn't a lot more work that removing it. My stance on this issue is "all endpoints must remain stable until |
I'm closing this issue for now as there hasn't been a lot of activity here recently. |
In #1102 we recently touched on the concept of deprecation of unused api endpoints. I'm not necessarily advocating for the removal of these routes, but I think they help provide concrete examples for discussing our stability guarantees when it comes to the api.
First, a few questions to consider:
cargo
endpoints, we should always return a200
result status. Are we effectively committed to the same for other routes? (See HTTP error codes are barely used #712)Option<T>
fields from a json return type, or must we retain the field with aNone
value? In other words, is it okay to break clients that handle a nil value for a field but error when the field is absent?Okay, so on to some specific examples!
GET /versions/:version_id
andGET /crates/:crate_id/:version
These 2 routes are implemented in
version::show()
. There isn't really much reason for these to be combined as the endpoint has different semantics depending on if the :crate_id is present or not. I think this should be properly split into two endpoints.For
GET /versions/:version_id
I don't expect there to be any external users at all as in order to use this api it is necessary to know the database id number for the version you seek. The primary way I see to obtain this is throughGET /crates/:crate_id
, but this endpoint already returns an array of versions containing all of this data. If there are any external users of this endpoint then we're probably doing duplicate effort to serve them.GET /crates/:crate_id/:version
has a much better interface, ascrate_id
andversion
are both human readable names and it is possible that some endpoints are constructing this URL on their own. This could be an argument for keeping this version of the endpoint around for longer, or at least doing more due-diligence to ensure there are no external uses.GET /versions
This is very similar to the
GET /versions/:version_id
endpoint, except it accepts multipleid[]
query parameters and returns a list of versions. Again, in order to make use of this endpoint the user has to already know the database id of the version.JSON result type for
GET /crates/:crate_id/:version/download
This endpoint is used by cargo and redirects to a URL on S3. However, if the request's
Accept
header containsjson
then we construct a200
response with JSON data. The frontend code that used this code path was removed in #916 and had already been commented out for 3 years at the time.While this code path is quite trivial, are we committed to keeping this until some far distant
/api/v2
is released? (This is a slightly strange example because this is primarily acargo
route so I don't think this route would ever be removed even if otherv1
endpoints are removed. At best we would remove this special case.)Summary
In summary, I'm not suggesting that we remove any of these endpoints at this time. If we come up with a policy that allows for removal I would rank them as:
With these examples in mind, where do you fall on the scale between: "all endpoints must remain stable until
/v2
" and "cargo
is our only official stability guarantee but we do our best to keep everyone happy"? There are of course mid-points along this scale. For instance, we could work with users of our api to triage the endpoints they are using and potentially expose them through an official client crate to encourage best practices.The text was updated successfully, but these errors were encountered: