couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Kocoloski <kocol...@apache.org>
Subject Re: tracking upstream dependencies
Date Fri, 26 Nov 2010 21:24:16 GMT
On Nov 26, 2010, at 3:58 PM, Dirkjan Ochtman wrote:

> On Fri, Nov 26, 2010 at 21:44, Noah Slater <nslater@apache.org> wrote:
>> But assuming we got this working, we face the problem of not being able to apply
our own patches. Also, the software it downloads might have some bug in it that was introduced
a week, day, or hour before the release was made. How would we defend ourselves against this?
> 
> You pull a specific version tarball and check it against a checksum?
> 
> Cheers,
> 
> Dirkjan

If we need to use a patched version of an upstream repo we can host our own fork of the canonical
git repository and apply the patches there.  I'm not sure what ASF requirements would be regarding
the hosting of those repositories.  The canonical sources for all of our upstream dependencies
- including Erlang/OTP - are now on github, so if the fork is hosted there upstream contributions
will be that much easier to make.

Regardless of the presence or absence of custom patches, using our own copy of the repo ensures
that we maintain full control over the inclusion of upstream changes.  If we're tracking the
master branch of an upstream dependency and we want to pin our builds to a specific commit
we can simply tag that commit and do future builds from that tag.  Regards,

Adam
Mime
View raw message