[Pulp-dev] Pinning dependencies in Pulp 3
David Davis
daviddavis at redhat.com
Wed Jul 31 12:46:01 UTC 2019
I've opened a PR to pin dependencies and setup an initial config for
dependabot. After we merge it, I'll enable dependabot which should start
opening PRs to update our dependencies.
https://github.com/pulp/pulpcore/pull/239
David
On Tue, Jul 30, 2019 at 12:43 PM Daniel Alley <dalley at redhat.com> wrote:
> +1 Y releases
>
> On Tue, Jul 30, 2019 at 12:01 PM Brian Bouterse <bmbouter at redhat.com>
> wrote:
>
>> +1 to pin Y releases
>>
>> On Tue, Jul 30, 2019 at 8:41 AM Tatiana Tereshchenko <ttereshc at redhat.com>
>> wrote:
>>
>>> +1 to pin dependencies and use dependabot
>>>
>>> If we were to pin to Z releases, then we'd need to release pulp 3
>>> package with any Z release of any dependency we pin.
>>> And in case of any [security] fix in any dependency, users would need to
>>> wait for us to release pulp with updated dependency version.
>>>
>>> If my logic above is correct, I'm +1 to pin to Y releases. I think most
>>> (if not all) breaking changes we observed were in the Y releases.
>>>
>>> Tanya
>>>
>>>
>>>
>>> On Fri, Jul 26, 2019 at 7:40 PM Brian Bouterse <bbouters at redhat.com>
>>> wrote:
>>>
>>>> +1. This brings increased stability to Pulp users, and keeps Pulp
>>>> forward compatible with all dependency releases. It's the best of both
>>>> worlds and automated!
>>>>
>>>> On Fri, Jul 26, 2019 at 12:33 PM Dennis Kliban <dkliban at redhat.com>
>>>> wrote:
>>>>
>>>>> +1
>>>>>
>>>>> I really like that there is automation to help us update the deps. If
>>>>> the PR from dependabot passes CI, we can just merge. Otherwise we will file
>>>>> an issue.
>>>>>
>>>>> On Fri, Jul 26, 2019 at 11:38 AM David Davis <daviddavis at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Recently, Pulp 3 package installs were broken by a new version of DRF
>>>>>> which necessitated a new release of pulpcore (RC4)[0]. Our releases are
>>>>>> fragile and unstable because they don't pin versions of dependencies.
>>>>>>
>>>>>> I was thinking of a new strategy whereby we pin pulpcore's
>>>>>> dependencies to specific versions (either y or z releases) and we use
>>>>>> something like dependabot[1] to notify us of new updates for pulpcore
>>>>>> dependencies. It looks like it'll open new PRs when it detects a dependency
>>>>>> is out of date.
>>>>>>
>>>>>> The one downside I do see is that dependabot PRs could be ignored.
>>>>>> However, I think the stability of our releases outweighs this potential
>>>>>> risk especially as we get closer to GA.
>>>>>>
>>>>>> Thoughts?
>>>>>>
>>>>>> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html
>>>>>> [1] https://dependabot.com/
>>>>>>
>>>>>> David
>>>>>> _______________________________________________
>>>>>> Pulp-dev mailing list
>>>>>> Pulp-dev at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>>
>>>>> _______________________________________________
>>>>> Pulp-dev mailing list
>>>>> Pulp-dev at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>
>>>> _______________________________________________
>>>> Pulp-dev mailing list
>>>> Pulp-dev at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>
>>> _______________________________________________
>>> Pulp-dev mailing list
>>> Pulp-dev at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>
>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20190731/dabb83bb/attachment.htm>
More information about the Pulp-dev
mailing list