Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E92EF17A51 for ; Tue, 30 Sep 2014 15:41:25 +0000 (UTC) Received: (qmail 69282 invoked by uid 500); 30 Sep 2014 15:41:25 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 69242 invoked by uid 500); 30 Sep 2014 15:41:25 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 69227 invoked by uid 99); 30 Sep 2014 15:41:25 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Sep 2014 15:41:25 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of agrieve@google.com designates 209.85.214.179 as permitted sender) Received: from [209.85.214.179] (HELO mail-ob0-f179.google.com) (209.85.214.179) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Sep 2014 15:40:59 +0000 Received: by mail-ob0-f179.google.com with SMTP id wp4so1705962obc.38 for ; Tue, 30 Sep 2014 08:40:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=5041C68tN28XBFMt+rNdlaVng7Ftngb1l/w3esJG7rQ=; b=lGYt3boatnIUKOLt+qOAk+YKWNNojbNZXA1AVe2TcmIhufVZ053RXgSS83pzZ6M3vr WjqtqPs4u8pIyKxAN/P6EM8Qzdry4oZIIyyi4WNX4fNEBAbgy1AgeYq/jDOGptEhAx7q ca2Yvv4u/UWXcDZmLMeSeiNzfiYT/wfP3DYLQfVTui7DsnxdUNQ9N+0OHbvixu84l4Ao w/q8pkOwgLUZxGyHlFkonnjNLdwpH0uQ41ZYIlBIZ6k7QBeus9Yl21y8JVQ7GGnuQJpP uza5eg7aCNqEY6rmjdKkp/d495h3qaijBF8yeTRISKMgBJuXiReJR+rBRTtKpNGx63Eq yA9w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=5041C68tN28XBFMt+rNdlaVng7Ftngb1l/w3esJG7rQ=; b=PxrLmDGTCu40EMWxScDFB1urXKBROHvIYRKMAAPxIFrvHTIeZnhed67xJEBK5qM07n 2Wys23YZ4PiIlp2CwX+PlbhM3x/xVjlye33kAt8ZBKPi6bfoNrmYAobraOrMvVx+hpd6 nRhaIvAbokLb1d3zhtQO7QnsSHvu+llXDvYXo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=5041C68tN28XBFMt+rNdlaVng7Ftngb1l/w3esJG7rQ=; b=EmfyODXRFI39jtZR6BeSmqEdrIfM0Y348vU3TBm0iogeflxbcFosgLDcLKaSH2a69N 3AFnOSD8qiv0/HoaVRx8TilDeN4XmBM+4kkhCf1fLF7JHAHPjo2POcBKUpsxAmPDEECZ b01uK2h9WQw4WmmmMha455o4XoIPB21SXrbIx9c4mAgRxmxCNMHOEd8W8A7aojhyoYxp +IELq5hjVWD7nSupcXSYDjX0pCKjfwgp4oKpRH6I6meHhX+k4c+rHfN6licd/oVgo6wE 4fxG4Rtwo1ogr0fbYKoEmC2HzdWjBkNiN9T/5zr8P/sm8715iU+A6rSe7ET8i6AWEDLD sMwQ== X-Gm-Message-State: ALoCoQkcOzZ9Um/KYD44NxIQQkxcxRbRUipm/r5TCG6UIu6f2lg//Ak3n+f5ifvDqIEsE5ISyaNr X-Received: by 10.182.18.101 with SMTP id v5mr12447296obd.64.1412091658264; Tue, 30 Sep 2014 08:40:58 -0700 (PDT) MIME-Version: 1.0 Sender: agrieve@google.com Received: by 10.182.98.165 with HTTP; Tue, 30 Sep 2014 08:40:37 -0700 (PDT) In-Reply-To: References: <62368B3C-70D3-4ED3-B470-8BFFD1DF2EDB@gmail.com> <7ef63ff7ae6f4986a7d96fd47b690437@DM2PR03MB366.namprd03.prod.outlook.com> <87566401-D50F-44A8-B42A-442A9325EAD0@gmail.com> <55ED2FC4-F04D-4E13-B345-26D1EB89F32D@gmail.com> From: Andrew Grieve Date: Tue, 30 Sep 2014 11:40:37 -0400 X-Google-Sender-Auth: _iamlplVSf7Y-B1RYnTeT7eRai0 Message-ID: Subject: Re: [DISCUSS] shrinkwrap To: dev Content-Type: multipart/alternative; boundary=001a11c33060ae913105044a3512 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c33060ae913105044a3512 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Even with pinned dependencies, we run into the problem that it's tough to ship multiple modules that depend on each other at the same time because cordova depends on cordova-lib. How about we stop using -rc# suffixes for our release candidates? E.g. For each RC, was actually do just bump the patch version and dist-tag it as @rc instead of @latest. If it doesn't work out, we bump the patch and try again. This will mean that it will be normal for our versions to jump by more than 0.0.1 each time, but I don't think that's actually a problem. We can then vote on RCs, and the final step of making the RC published, is just to switch the dist-tag rather than any re-packaging. On Mon, Sep 29, 2014 at 7:09 PM, Jesse wrote: > +1 to pinned dependencies, and no shrinkwrap > > @purplecabbage > risingj.com > > On Mon, Sep 29, 2014 at 1:45 PM, Marcel Kinard wrote= : > > > I didn't see a consensus on this topic yet, and a tools release is abou= t > > to get rolling by Steve. > > > > My original driver for this discussion is that if we are going to do > > shrinkwrap, that we do it all the way instead of slapping it on at the > end. > > > > Doing it does add more complexity. But it also removes variability, > that's > > the part I like. If the majority of folks want to skip the shrinkwrap, = I > > would be OK with that as long as we specifically pin all our > dependencies ( > > "foobar": "1.2.3" ) in our package.json files (no ".x", no tilde, caret= , > > greater-than, etc). That would handle the 1st-level dependencies, but n= ot > > subdependencies since we don't have control of their package.json - it'= s > > partway to the destination at a lower cost. This also assumes that > partway > > to the destination is good enough. > > > > I did add a step to the tools release that the pinned versions get > updated > > at the beginning of a release: > > > > > https://git-wip-us.apache.org/repos/asf?p=3Dcordova-coho.git;a=3Dblobdiff= ;f=3Ddocs/tools-release-process.md;h=3D02d28c97e8dd104528035939049515338347= c75b;hp=3Db5d288b2c5a8d3cb03bb8fc050bf26c8d15d28fb;hb=3D8ca35fe00cf0e72eb70= d05e242fe7021ec65b028;hpb=3D14983eb014f84e08e7a76f1ab6ffe069b81f6ffa > > > > Comments? > > > > On Sep 22, 2014, at 10:01 AM, Andrew Grieve > wrote: > > > > > I like having it in. For CCA, we actually did get bit in a release > where > > we > > > didn't have a shrinkwrap and a descendant dependency changed and brok= e > > > things on us. > > > > > > It's also really nice that when we sign and vote on a release, that > doing > > > an "npm install" on it down the line will recreate the exact thing we > > > tested & signed. > > > > > > I think the trouble came along here just from incomplete release step > > > instructions. I think that this (lack of clear steps / process) is th= e > > real > > > problem. > > > > > --001a11c33060ae913105044a3512--