[openstack-dev] [all] [stable] No longer doing stable point releases
mthode at mthode.org
Mon Jun 1 00:00:01 UTC 2015
On 05/31/2015 05:50 PM, Alan Pevec wrote:
> 2015-05-29 18:30 GMT+02:00 Jeremy Stanley <fungi at yuggoth.org>:
>> On 2015-05-29 16:30:12 +0100 (+0100), Dave Walker wrote:
>>> This is generally my opinion as-well, I always hoped that *every*
>>> commit would be considered a release rather than an arbitrary
>>> tagged date.
>> If we switch away from lockstep major/minor release versioning
>> anyway (again separate discussion underway but seems a distinct
>> possibility) then I think the confusion over why stable point
>> releases are mismatched becomes less of an issue. At that point we
>> may want to reconsider and actually tag each of them with a
>> sequential micro (patch in semver terminology) version bump. Could
>> help in communication around security fixes in particular.
> Yes, if dropping stable point releases, sub-version schema is still
> needed for clear communication in OSSAs and proposed continuous
> releases notes.
> One issue is how would we provide source tarballs, statically hosting
> tarballs for each and every micro version is not realistic, also those
> wouldn't be signed.
> RPM packages traditionally expect pristine upstream tarballs which can
> be verified and generating them from git is not reproducible e.g.
> right now in nova stable/kilo branch:
> python ./setup.py sdist
> mv dist/nova-2015.1.1.dev20.tar.gz dist/nova-2015.1.1.dev20.tar.gz-TAKE1
> python ./setup.py sdist
> diff dist/nova-2015.1.1.dev20.tar.gz-TAKE1 dist/nova-2015.1.1.dev20.tar.gz
> Binary files dist/nova-2015.1.1.dev20.tar.gz-TAKE1 and
> dist/nova-2015.1.1.dev20.tar.gz differ
> Before dropping point releases, I would like to have:
> * idempotent sdist on the same SHA
> * dynamic tarball generation service like github archive
> * switch to micro-version i.e. current nova stable/kilo would be 2015.1.20
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
Generating tarballs from commit sha's isn't enough?
I'm personally thinking of installing a file somewhere that references
what commit hash the package was sourced from. I'm thinking of doing
Tarball generation would be nice.
You will get different checksums with tar and/or gzip, you can check the
extracted files and they should be the same.
I would like to see signed commits in the 'official' repos (at
git.openstack.org), if only because relying on sha alone doesn't seem
enough for some.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the OpenStack-dev