From dev-return-31555-archive-asf-public=cust-asf.ponee.io@geode.apache.org Tue Aug 13 16:38:49 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id BF1DB1804BB for ; Tue, 13 Aug 2019 18:38:48 +0200 (CEST) Received: (qmail 74792 invoked by uid 500); 13 Aug 2019 16:38:48 -0000 Mailing-List: contact dev-help@geode.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.apache.org Delivered-To: mailing list dev@geode.apache.org Received: (qmail 74781 invoked by uid 99); 13 Aug 2019 16:38:47 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Aug 2019 16:38:47 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 2EB141A320C for ; Tue, 13 Aug 2019 16:38:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.1 X-Spam-Level: *** X-Spam-Status: No, score=3.1 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, THIS_AD=1.799, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id qvR9-7a_mQtM for ; Tue, 13 Aug 2019 16:38:45 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=148.163.153.148; helo=mx0b-00296801.pphosted.com; envelope-from=alindsey@pivotal.io; receiver= Received: from mx0b-00296801.pphosted.com (mx0b-00296801.pphosted.com [148.163.153.148]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id CF562BC808 for ; Tue, 13 Aug 2019 16:38:44 +0000 (UTC) Received: from pps.filterd (m0114586.ppops.net [127.0.0.1]) by mx0b-00296801.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x7DGWKaq022546 for ; Tue, 13 Aug 2019 16:38:44 GMT Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com [209.85.210.198]) by mx0b-00296801.pphosted.com with ESMTP id 2ubf81gt58-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 13 Aug 2019 16:38:43 +0000 Received: by mail-pf1-f198.google.com with SMTP id v3so905663pfm.8 for ; Tue, 13 Aug 2019 09:38:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=V4tIZPc4qRgEhF5o08bF+Z8aVO5zVs1fhiSCWxddMdI=; b=Sh1BxSOR/ATdH5AX5roMi53JRITtMJFoDxicvU1XRKYroWa/Z9NJRTqjOJDQI2iuZx iCTb2CZHWXQFM+6ZLxgIMSgIbXk9JwuLTz5h2C5jOcw+7vhAJVZocBboddtQnJaTRODw rm68iLcN/uUPPBgQXpTTFbYlibMOLR6oymvd8c+ZpPKCLYrsuhPzldh/yr317u6fI+7a /51eKxAQcw/CUpbOXV0Iby59jf47yzkqxGkvPsRhaMkS+/agEd2S0KV/NhKn6RlO59rh HdKa5dNmnLZw8wlCUqNRTPgTHl+9A0A/T6lPc3OgpE+A857e9+r89Zq0JU3NBOvkZcxy 8BHA== X-Gm-Message-State: APjAAAXxVopz7M4/11IosIs9WJnfYyDMcBD1Eu/roxxk85ssMoMrOKkk fS3/ecHU+erDsnAZObPoRMU7+rS4qrt4sOw1na8yyCQM9dnSDlrdJDrfLNGKCi79DzgRqyE9fbH VrdKKM45yae3/ge42i3oyviH3OMQR+7MAwMambnM= X-Received: by 2002:a17:902:b28b:: with SMTP id u11mr36850886plr.11.1565714322789; Tue, 13 Aug 2019 09:38:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqz/d9Ryn3EsRooCBJDT76t+qzudx8cYr062+ntueHRnGflwASZNGd1AKdg+FMlwTBKWUCL+zw== X-Received: by 2002:a17:902:b28b:: with SMTP id u11mr36850876plr.11.1565714322522; Tue, 13 Aug 2019 09:38:42 -0700 (PDT) Received: from [10.118.33.172] (50-203-225-134-static.hfc.comcastbusiness.net. [50.203.225.134]) by smtp.gmail.com with ESMTPSA id 185sm5187356pff.54.2019.08.13.09.38.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Aug 2019 09:38:42 -0700 (PDT) From: Aaron Lindsey Content-Type: multipart/alternative; boundary="Apple-Mail=_EF905EC2-F08A-4569-9D6B-DFBC03EEA098" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: [DISCUSS] Geode dependency update process (review by 8/28/2019) Date: Tue, 13 Aug 2019 09:38:41 -0700 References: To: dev@geode.apache.org In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3445.104.11) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:5.22.84,1.0.8 definitions=2019-08-13_05:2019-08-13,2019-08-13 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 impostorscore=0 mlxlogscore=999 priorityscore=1501 phishscore=0 bulkscore=0 spamscore=0 malwarescore=0 mlxscore=0 clxscore=1015 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1908130162 --Apple-Mail=_EF905EC2-F08A-4569-9D6B-DFBC03EEA098 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I like the idea of proactively updating dependencies after each release. = For this to work we would have to know whether the next release will be = a major or minor release directly after each GA release (so that we can = bump either major or minor versions, as appropriate). How and when do we = currently determine our major release cycle? Would we know at the time = of a GA release whether the next release would be a major or minor = release? - Aaron > On Aug 13, 2019, at 9:22 AM, Nicholas Vallely = wrote: >=20 > = https://cwiki.apache.org/confluence/display/GEODE/%5BDraft%5D+Geode+depend= ency+update+process >=20 > Here is the content of the wiki proposal above for a discussion: > Problem >=20 > We recently updated the dependencies for the log4j version used in = Geode to > keep up with Spring Boot Data Geode's logging dependencies. As far as = I > know, we do not have a process to keep dependencies up to date or = regularly > scheduled updates to them. Currently, I believe this is handled ad-hoc > which hasn't necessarily caused any major issues but could. > Anti-GoalsSolution >=20 > *Directly after GA release of Geode minor version:* > The release manager for the most recently released version of Geode = would > review any dependencies in the Geode project (presumably this = will/could be > automated). >=20 > - For a minor release, only minor version dependency updates should = be > considered > - For a major release, major versions should be considered >=20 > The release manager would submit a PR to update dependencies and then = the > community should pitch in to tackle any subsequent issues that arise = from > the updating of dependencies. *Note the first time this happens maybe > painful* >=20 > *In-between releases:* > We keep doing what we are doing: >=20 > - Ad-hoc dependency updates as necessary >=20 > *When a new release manager is chosen:* > The release manager would send out an email as the last call for = dependency > updates that would coincide with a proposed release branch cut date. = This > would give everyone a reminder that if they need to update a = dependency > prior to the release there is limited time left in order to do so. > Changes and Additions to Public Interfaces >=20 > *n/a* > Performance Impact >=20 > *Potentially a new version of a dependency could cause a performance = impact > and we should run a performance test suite on the recently released = version > vs the updated dependency version* > Backwards Compatibility and Upgrade Path >=20 > *In a minor release, minor version dependency updates shouldn't cause > compatibility issues.* > Prior Art >=20 > *What would be the alternatives to the proposed solution? What would = happen > if we don=E2=80=99t solve the problem? Why should this proposal be = preferred?* >=20 > *If we continue to do this ad-hoc, there is a greater likelihood of = CVE's > or mismatching versions of conflicts between Geode and dependent = projects.* >=20 >=20 > *Nick* --Apple-Mail=_EF905EC2-F08A-4569-9D6B-DFBC03EEA098--