+1 to pinning to the Y release. On Tue, Jul 30, 2019 at 9:30 AM Dennis Kliban <dkli...@redhat.com> wrote:
> +1 to pinning to the Y release. > > On Tue, Jul 30, 2019 at 8:41 AM Tatiana Tereshchenko <ttere...@redhat.com> > wrote: > >> +1 to pin dependencies and use dependabot >> >> If we were to pin to Z releases, then we'd need to release pulp 3 package >> with any Z release of any dependency we pin. >> And in case of any [security] fix in any dependency, users would need to >> wait for us to release pulp with updated dependency version. >> >> If my logic above is correct, I'm +1 to pin to Y releases. I think most >> (if not all) breaking changes we observed were in the Y releases. >> >> Tanya >> >> >> >> On Fri, Jul 26, 2019 at 7:40 PM Brian Bouterse <bbout...@redhat.com> >> wrote: >> >>> +1. This brings increased stability to Pulp users, and keeps Pulp >>> forward compatible with all dependency releases. It's the best of both >>> worlds and automated! >>> >>> On Fri, Jul 26, 2019 at 12:33 PM Dennis Kliban <dkli...@redhat.com> >>> wrote: >>> >>>> +1 >>>> >>>> I really like that there is automation to help us update the deps. If >>>> the PR from dependabot passes CI, we can just merge. Otherwise we will file >>>> an issue. >>>> >>>> On Fri, Jul 26, 2019 at 11:38 AM David Davis <davidda...@redhat.com> >>>> wrote: >>>> >>>>> Recently, Pulp 3 package installs were broken by a new version of DRF >>>>> which necessitated a new release of pulpcore (RC4)[0]. Our releases are >>>>> fragile and unstable because they don't pin versions of dependencies. >>>>> >>>>> I was thinking of a new strategy whereby we pin pulpcore's >>>>> dependencies to specific versions (either y or z releases) and we use >>>>> something like dependabot[1] to notify us of new updates for pulpcore >>>>> dependencies. It looks like it'll open new PRs when it detects a >>>>> dependency >>>>> is out of date. >>>>> >>>>> The one downside I do see is that dependabot PRs could be ignored. >>>>> However, I think the stability of our releases outweighs this potential >>>>> risk especially as we get closer to GA. >>>>> >>>>> Thoughts? >>>>> >>>>> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html >>>>> [1] https://dependabot.com/ >>>>> >>>>> David >>>>> _______________________________________________ >>>>> Pulp-dev mailing list >>>>> Pulp-dev@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>> >>>> _______________________________________________ >>>> Pulp-dev mailing list >>>> Pulp-dev@redhat.com >>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>> >>> _______________________________________________ >>> Pulp-dev mailing list >>> Pulp-dev@redhat.com >>> https://www.redhat.com/mailman/listinfo/pulp-dev >>> >> _______________________________________________ >> Pulp-dev mailing list >> Pulp-dev@redhat.com >> https://www.redhat.com/mailman/listinfo/pulp-dev >> > _______________________________________________ > Pulp-dev mailing list > Pulp-dev@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-dev > -- Mike DePaulo He / Him / His Service Reliability Engineer, Pulp Red Hat <https://www.redhat.com/> IM: mikedep333 GPG: 51745404 <https://www.redhat.com/>
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
