I've opened a PR to pin dependencies and setup an initial config for dependabot. After we merge it, I'll enable dependabot which should start opening PRs to update our dependencies.
https://github.com/pulp/pulpcore/pull/239 David On Tue, Jul 30, 2019 at 12:43 PM Daniel Alley <[email protected]> wrote: > +1 Y releases > > On Tue, Jul 30, 2019 at 12:01 PM Brian Bouterse <[email protected]> > wrote: > >> +1 to pin Y releases >> >> On Tue, Jul 30, 2019 at 8:41 AM Tatiana Tereshchenko <[email protected]> >> wrote: >> >>> +1 to pin dependencies and use dependabot >>> >>> If we were to pin to Z releases, then we'd need to release pulp 3 >>> package with any Z release of any dependency we pin. >>> And in case of any [security] fix in any dependency, users would need to >>> wait for us to release pulp with updated dependency version. >>> >>> If my logic above is correct, I'm +1 to pin to Y releases. I think most >>> (if not all) breaking changes we observed were in the Y releases. >>> >>> Tanya >>> >>> >>> >>> On Fri, Jul 26, 2019 at 7:40 PM Brian Bouterse <[email protected]> >>> wrote: >>> >>>> +1. This brings increased stability to Pulp users, and keeps Pulp >>>> forward compatible with all dependency releases. It's the best of both >>>> worlds and automated! >>>> >>>> On Fri, Jul 26, 2019 at 12:33 PM Dennis Kliban <[email protected]> >>>> wrote: >>>> >>>>> +1 >>>>> >>>>> I really like that there is automation to help us update the deps. If >>>>> the PR from dependabot passes CI, we can just merge. Otherwise we will >>>>> file >>>>> an issue. >>>>> >>>>> On Fri, Jul 26, 2019 at 11:38 AM David Davis <[email protected]> >>>>> wrote: >>>>> >>>>>> Recently, Pulp 3 package installs were broken by a new version of DRF >>>>>> which necessitated a new release of pulpcore (RC4)[0]. Our releases are >>>>>> fragile and unstable because they don't pin versions of dependencies. >>>>>> >>>>>> I was thinking of a new strategy whereby we pin pulpcore's >>>>>> dependencies to specific versions (either y or z releases) and we use >>>>>> something like dependabot[1] to notify us of new updates for pulpcore >>>>>> dependencies. It looks like it'll open new PRs when it detects a >>>>>> dependency >>>>>> is out of date. >>>>>> >>>>>> The one downside I do see is that dependabot PRs could be ignored. >>>>>> However, I think the stability of our releases outweighs this potential >>>>>> risk especially as we get closer to GA. >>>>>> >>>>>> Thoughts? >>>>>> >>>>>> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html >>>>>> [1] https://dependabot.com/ >>>>>> >>>>>> David >>>>>> _______________________________________________ >>>>>> Pulp-dev mailing list >>>>>> [email protected] >>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>>> >>>>> _______________________________________________ >>>>> Pulp-dev mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>> >>>> _______________________________________________ >>>> Pulp-dev mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>> >>> _______________________________________________ >>> Pulp-dev mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/pulp-dev >>> >> _______________________________________________ >> Pulp-dev mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/pulp-dev >> > _______________________________________________ > Pulp-dev mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-dev >
_______________________________________________ Pulp-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-dev
