I've opened a PR to pin dependencies and setup an initial config for dependabot. After we merge it, I'll enable dependabot which should start opening PRs to update our dependencies.
https://github.com/pulp/pulpcore/pull/239 David On Tue, Jul 30, 2019 at 12:43 PM Daniel Alley <dal...@redhat.com> wrote: > +1 Y releases > > On Tue, Jul 30, 2019 at 12:01 PM Brian Bouterse <bmbou...@redhat.com> > wrote: > >> +1 to pin Y releases >> >> On Tue, Jul 30, 2019 at 8:41 AM Tatiana Tereshchenko <ttere...@redhat.com> >> wrote: >> >>> +1 to pin dependencies and use dependabot >>> >>> If we were to pin to Z releases, then we'd need to release pulp 3 >>> package with any Z release of any dependency we pin. >>> And in case of any [security] fix in any dependency, users would need to >>> wait for us to release pulp with updated dependency version. >>> >>> If my logic above is correct, I'm +1 to pin to Y releases. I think most >>> (if not all) breaking changes we observed were in the Y releases. >>> >>> Tanya >>> >>> >>> >>> On Fri, Jul 26, 2019 at 7:40 PM Brian Bouterse <bbout...@redhat.com> >>> wrote: >>> >>>> +1. This brings increased stability to Pulp users, and keeps Pulp >>>> forward compatible with all dependency releases. It's the best of both >>>> worlds and automated! >>>> >>>> On Fri, Jul 26, 2019 at 12:33 PM Dennis Kliban <dkli...@redhat.com> >>>> wrote: >>>> >>>>> +1 >>>>> >>>>> I really like that there is automation to help us update the deps. If >>>>> the PR from dependabot passes CI, we can just merge. Otherwise we will >>>>> file >>>>> an issue. >>>>> >>>>> On Fri, Jul 26, 2019 at 11:38 AM David Davis <davidda...@redhat.com> >>>>> wrote: >>>>> >>>>>> Recently, Pulp 3 package installs were broken by a new version of DRF >>>>>> which necessitated a new release of pulpcore (RC4)[0]. Our releases are >>>>>> fragile and unstable because they don't pin versions of dependencies. >>>>>> >>>>>> I was thinking of a new strategy whereby we pin pulpcore's >>>>>> dependencies to specific versions (either y or z releases) and we use >>>>>> something like dependabot[1] to notify us of new updates for pulpcore >>>>>> dependencies. It looks like it'll open new PRs when it detects a >>>>>> dependency >>>>>> is out of date. >>>>>> >>>>>> The one downside I do see is that dependabot PRs could be ignored. >>>>>> However, I think the stability of our releases outweighs this potential >>>>>> risk especially as we get closer to GA. >>>>>> >>>>>> Thoughts? >>>>>> >>>>>> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html >>>>>> [1] https://dependabot.com/ >>>>>> >>>>>> David >>>>>> _______________________________________________ >>>>>> Pulp-dev mailing list >>>>>> Pulp-dev@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>>> >>>>> _______________________________________________ >>>>> Pulp-dev mailing list >>>>> Pulp-dev@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>> >>>> _______________________________________________ >>>> Pulp-dev mailing list >>>> Pulp-dev@redhat.com >>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>> >>> _______________________________________________ >>> Pulp-dev mailing list >>> Pulp-dev@redhat.com >>> https://www.redhat.com/mailman/listinfo/pulp-dev >>> >> _______________________________________________ >> Pulp-dev mailing list >> Pulp-dev@redhat.com >> https://www.redhat.com/mailman/listinfo/pulp-dev >> > _______________________________________________ > Pulp-dev mailing list > Pulp-dev@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-dev >
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
