+1 to pinning to the Y release. On Tue, Jul 30, 2019 at 9:30 AM Dennis Kliban <[email protected]> wrote:
> +1 to pinning to the Y release. > > On Tue, Jul 30, 2019 at 8:41 AM Tatiana Tereshchenko <[email protected]> > wrote: > >> +1 to pin dependencies and use dependabot >> >> If we were to pin to Z releases, then we'd need to release pulp 3 package >> with any Z release of any dependency we pin. >> And in case of any [security] fix in any dependency, users would need to >> wait for us to release pulp with updated dependency version. >> >> If my logic above is correct, I'm +1 to pin to Y releases. I think most >> (if not all) breaking changes we observed were in the Y releases. >> >> Tanya >> >> >> >> On Fri, Jul 26, 2019 at 7:40 PM Brian Bouterse <[email protected]> >> wrote: >> >>> +1. This brings increased stability to Pulp users, and keeps Pulp >>> forward compatible with all dependency releases. It's the best of both >>> worlds and automated! >>> >>> On Fri, Jul 26, 2019 at 12:33 PM Dennis Kliban <[email protected]> >>> wrote: >>> >>>> +1 >>>> >>>> I really like that there is automation to help us update the deps. If >>>> the PR from dependabot passes CI, we can just merge. Otherwise we will file >>>> an issue. >>>> >>>> On Fri, Jul 26, 2019 at 11:38 AM David Davis <[email protected]> >>>> wrote: >>>> >>>>> Recently, Pulp 3 package installs were broken by a new version of DRF >>>>> which necessitated a new release of pulpcore (RC4)[0]. Our releases are >>>>> fragile and unstable because they don't pin versions of dependencies. >>>>> >>>>> I was thinking of a new strategy whereby we pin pulpcore's >>>>> dependencies to specific versions (either y or z releases) and we use >>>>> something like dependabot[1] to notify us of new updates for pulpcore >>>>> dependencies. It looks like it'll open new PRs when it detects a >>>>> dependency >>>>> is out of date. >>>>> >>>>> The one downside I do see is that dependabot PRs could be ignored. >>>>> However, I think the stability of our releases outweighs this potential >>>>> risk especially as we get closer to GA. >>>>> >>>>> Thoughts? >>>>> >>>>> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html >>>>> [1] https://dependabot.com/ >>>>> >>>>> David >>>>> _______________________________________________ >>>>> Pulp-dev mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>> >>>> _______________________________________________ >>>> Pulp-dev mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>> >>> _______________________________________________ >>> Pulp-dev mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/pulp-dev >>> >> _______________________________________________ >> Pulp-dev mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/pulp-dev >> > _______________________________________________ > Pulp-dev mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-dev > -- Mike DePaulo He / Him / His Service Reliability Engineer, Pulp Red Hat <https://www.redhat.com/> IM: mikedep333 GPG: 51745404 <https://www.redhat.com/>
_______________________________________________ Pulp-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-dev
