Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E85FB10C33 for ; Fri, 10 Jan 2014 12:59:30 +0000 (UTC) Received: (qmail 23155 invoked by uid 500); 10 Jan 2014 12:59:19 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 23099 invoked by uid 500); 10 Jan 2014 12:59:14 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 23087 invoked by uid 99); 10 Jan 2014 12:59:10 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jan 2014 12:59:10 +0000 Received: from localhost (HELO [192.168.1.4]) (127.0.0.1) (smtp-auth username rnewson, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jan 2014 12:59:10 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: A quick status about the merge of rcouch From: Robert Samuel Newson In-Reply-To: Date: Fri, 10 Jan 2014 12:59:06 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <61ED5848-27D7-418F-B20C-5996E8F6EE08@apache.org> References: To: dev@couchdb.apache.org X-Mailer: Apple Mail (2.1827) My concern with external dependencies is that our release tarballs = become unusable when github is down (which is often) or if those = projects mutate. The Maven approach is different to the rebar deps one, = an non-SNAPSHOT dependency on a Maven repo is immutable and permanent by = design. Nothing stops the jiffy/mochiweb/etc maintainer from deleting = the repository or removing a tag. However, the most immediate issue is the ability to maintain patches = against them, so let=92s focus there. I certainly don=92t think it would = be wise for us to require upstream maintainers to take our patches = before we can make them. The SOCKS5 patch is particularly interesting. = The upstream project has added it independently but in ways that break = the intention behind ours. Given the security aspects of the differences = (DNS leaks), pointing to an external repository feels far too risk for = me.=20 For these reasons, I=92d rather we include the source we use, and git = makes it straightforward to import upstream release on our own schedule = (which I freely admit we don=92t do very often), and with our explicit = action and ability to review them. lock-rebar-deps appears only to convert the tag or branch we=92re = pointing at to an explicit commit id. That=92s a help, but not enough = imo. B. On 10 Jan 2014, at 12:39, Benoit Chesneau wrote: > On Fri, Jan 10, 2014 at 1:36 PM, Robert Samuel Newson = wrote: >=20 >> "all externals dependencies (mochiweb, jiffy, erlang-oauth, ibrowse, >> snappy) has been removed from our source" >>=20 >> CouchDB has patches against some of these, how are you preserving = them? >>=20 >=20 > mochiweb has already most of them in latest upstream. Some better from = ours. > ibrowse yes. I didn't port yet the socks5 one. > snappy . yes from the start. > erlang-oauth - yes > jiffy : well this is the latest >=20 >=20 >=20 >>=20 >> I think the topic of whether our dependencies should be included, as = they >> have been to date, or pulled from external sources is one we should = have a >> group. >>=20 >=20 >=20 > agree. Note that there is a rebar plugin that allows that: >=20 > https://github.com/lukyanov/rebar-lock-deps >=20 > - benoit