accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From joshelser <...@git.apache.org>
Subject [GitHub] accumulo pull request #131: ACCUMULO-4356 Remove bundled jars from -bin.tar....
Date Fri, 22 Jul 2016 16:27:20 GMT
Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/131#discussion_r71906550
  
    --- Diff: assemble/src/main/scripts/generate-download-script.sh ---
    @@ -0,0 +1,56 @@
    +#! /usr/bin/env bash
    +
    +# Licensed to the Apache Software Foundation (ASF) under one or more
    +# contributor license agreements.  See the NOTICE file distributed with
    +# this work for additional information regarding copyright ownership.
    +# The ASF licenses this file to You under the Apache License, Version 2.0
    +# (the "License"); you may not use this file except in compliance with
    +# the License.  You may obtain a copy of the License at
    +#
    +#     http://www.apache.org/licenses/LICENSE-2.0
    +#
    +# Unless required by applicable law or agreed to in writing, software
    +# distributed under the License is distributed on an "AS IS" BASIS,
    +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    +# See the License for the specific language governing permissions and
    +# limitations under the License.
    +
    +# This script will generate a DEPENDENCIES listing of packaged dependencies
    +
    +in=target/dependencies.raw.txt
    +out=target/download-dependencies
    +
    +cat >"$out" <<'EOF'
    +#! /usr/bin/env bash
    +# This script downloads the following jars, identified by their maven
    +# coordinates, using the maven-dependency-plugin.
    +#
    +# DISCLAIMER: This is only one possible way to download a set of dependencies
    --- End diff --
    
    > We can, as you've stated, document what versions we've built with and we're pretty
sure will work, if the user sticks to all those same versions. Of course, I wouldn't recommend
users actually stick to just those versions... otherwise, they'll probably be left vulnerable
to various bugs and security problems which have been fixed in newer versions of those dependencies.
But we can at least document it as a baseline for what versions worked, at the time of release.
    
    This line of thinking still bothers me :). In an ideal world where everyone uses semver
correctly, this would probably work. I don't think this is close to reality. I feel like this
is just creating a situation that makes users' life terrible (by leading them down a path
of trial & error).
    
    As another concrete example to this one: let's take Thrift. A user might look at versions,
see that they want 0.9.4 Thrift for some security patch or for other things in their application.
This will completely not work for Accumulo. How are they supposed to figure this out?
    
    Documenting versions that worked is certainly one thing we can do and *require* that this
is put into release notes? I'm curious what others think about this.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message