Recently, Pulp 3 package installs were broken by a new version of DRF which necessitated a new release of pulpcore (RC4)[0]. Our releases are fragile and unstable because they don't pin versions of dependencies.
I was thinking of a new strategy whereby we pin pulpcore's dependencies to specific versions (either y or z releases) and we use something like dependabot[1] to notify us of new updates for pulpcore dependencies. It looks like it'll open new PRs when it detects a dependency is out of date. The one downside I do see is that dependabot PRs could be ignored. However, I think the stability of our releases outweighs this potential risk especially as we get closer to GA. Thoughts? [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html [1] https://dependabot.com/ David
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
