[Pulp-dev] Pinning dependencies in Pulp 3

Tue Jul 30 13:53:00 UTC 2019

+1 to pinning to the Y release.

On Tue, Jul 30, 2019 at 9:30 AM Dennis Kliban <dkliban at redhat.com> wrote:

> +1 to pinning to the Y release.
>
> On Tue, Jul 30, 2019 at 8:41 AM Tatiana Tereshchenko <ttereshc at redhat.com>
> wrote:
>
>> +1 to pin dependencies and use dependabot
>>
>> If we were to pin to Z releases, then we'd need to release pulp 3 package
>> with any Z release of any dependency we pin.
>> And in case of any [security] fix in any dependency, users would need to
>> wait for us to release pulp with updated dependency version.
>>
>> If my logic above is correct, I'm +1 to pin to Y releases. I think most
>> (if not all) breaking changes we observed were in the Y releases.
>>
>> Tanya
>>
>>
>>
>> On Fri, Jul 26, 2019 at 7:40 PM Brian Bouterse <bbouters at redhat.com>
>> wrote:
>>
>>> +1. This brings increased stability to Pulp users, and keeps Pulp
>>> forward compatible with all dependency releases. It's the best of both
>>> worlds and automated!
>>>
>>> On Fri, Jul 26, 2019 at 12:33 PM Dennis Kliban <dkliban at redhat.com>
>>> wrote:
>>>
>>>> +1
>>>>
>>>> I really like that there is automation to help us update the deps. If
>>>> the PR from dependabot passes CI, we can just merge. Otherwise we will file
>>>> an issue.
>>>>
>>>> On Fri, Jul 26, 2019 at 11:38 AM David Davis <daviddavis at redhat.com>
>>>> wrote:
>>>>
>>>>> Recently, Pulp 3 package installs were broken by a new version of DRF
>>>>> which necessitated a new release of pulpcore (RC4)[0]. Our releases are
>>>>> fragile and unstable because they don't pin versions of dependencies.
>>>>>
>>>>> I was thinking of a new strategy whereby we pin pulpcore's
>>>>> dependencies to specific versions (either y or z releases) and we use
>>>>> something like dependabot[1] to notify us of new updates for pulpcore
>>>>> dependencies. It looks like it'll open new PRs when it detects a dependency
>>>>> is out of date.
>>>>>
>>>>> The one downside I do see is that dependabot PRs could be ignored.
>>>>> However, I think the stability of our releases outweighs this potential
>>>>> risk especially as we get closer to GA.
>>>>>
>>>>> Thoughts?
>>>>>
>>>>> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html
>>>>> [1] https://dependabot.com/
>>>>>
>>>>> David
>>>>> _______________________________________________
>>>>> Pulp-dev mailing list
>>>>> Pulp-dev at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>
>>>> _______________________________________________
>>>> Pulp-dev mailing list
>>>> Pulp-dev at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>
>>> _______________________________________________
>>> Pulp-dev mailing list
>>> Pulp-dev at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>
>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>

-- 

Mike DePaulo

He / Him / His

Service Reliability Engineer, Pulp

Red Hat <https://www.redhat.com/>

IM: mikedep333

GPG: 51745404
<https://www.redhat.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20190730/a702f67d/attachment.htm>