+1. This brings increased stability to Pulp users, and keeps Pulp forward compatible with all dependency releases. It's the best of both worlds and automated!
On Fri, Jul 26, 2019 at 12:33 PM Dennis Kliban <dkli...@redhat.com> wrote: > +1 > > I really like that there is automation to help us update the deps. If the > PR from dependabot passes CI, we can just merge. Otherwise we will file an > issue. > > On Fri, Jul 26, 2019 at 11:38 AM David Davis <davidda...@redhat.com> > wrote: > >> Recently, Pulp 3 package installs were broken by a new version of DRF >> which necessitated a new release of pulpcore (RC4)[0]. Our releases are >> fragile and unstable because they don't pin versions of dependencies. >> >> I was thinking of a new strategy whereby we pin pulpcore's dependencies >> to specific versions (either y or z releases) and we use something like >> dependabot[1] to notify us of new updates for pulpcore dependencies. It >> looks like it'll open new PRs when it detects a dependency is out of date. >> >> The one downside I do see is that dependabot PRs could be ignored. >> However, I think the stability of our releases outweighs this potential >> risk especially as we get closer to GA. >> >> Thoughts? >> >> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html >> [1] https://dependabot.com/ >> >> David >> _______________________________________________ >> Pulp-dev mailing list >> Pulp-dev@redhat.com >> https://www.redhat.com/mailman/listinfo/pulp-dev >> > _______________________________________________ > Pulp-dev mailing list > Pulp-dev@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-dev >
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
