Open Stack

2015-05-29 21:36 GMT+02:00 Dave Walker <email at daviey.com>:
> Responses inline.
>
> On 29 May 2015 6:15 pm, "Haïkel" <hguemar at fedoraproject.org> wrote:
>>
>> 2015-05-29 15:41 GMT+02:00 Thierry Carrez <thierry at openstack.org>:
>> > Hi everyone,
>> >
>> > TL;DR:
>> > - We propose to stop tagging coordinated point releases (like 2015.1.1)
>> > - We continue maintaining stable branches as a trusted source of stable
>> > updates for all projects though
>> >
>>
>> Hi,
>>
>> I'm one of the main maintainer of the packages for Fedora/RHEL/CentOS.
>> We try to stick as much as possible to upstream (almost zero
>> downstream patches),
>> and without intermediate releases, it will get difficult.
>
> If you consider *every* commit to be a release, then your life becomes
> easier. This is just a case of bumping the SemVer patch version per commit
> (as eloquently put by Jeremy).  We even have tooling to automate the version
> generation via pbr..
>
> Therefore, you might want to jump from X.X.100 to X.X.200 which would mean
> 100 commits since the last update.
>

We have continuous builds for every commit master for a while now, and
it's been a
great tool with CI to have early feedback (missing deps, integration
issues etc.).
We could easily reuse that platform to track stable branches.

The problem is that downstream QA/CI cycle of a package could be much
longer than between
two commits. So we'd end up jamming updates.
I'd rather not drop downstream QA as it testes integration bits, and
it's unlikely
to be something that could be upstream.


>> I'm personally not fond of this as it will lead to more fragmentation.
>> It may encourage
>> bad behaviors like shipping downstream patches for bug fixes and CVE
>> instead
>> of collaborating upstream to differentiate themselves.
>> For instance, if we had no point-based release, for issues tracking
>> purposes, we would
>> have to maintain our sets of tags somewhere.
>
> I disagree, each distro already does security patching and whilst I expect
> this to still happens, it actually *encourages* upstream first workflow as
> you can select a release on your own cadence that includes commits you need,
> for your users.
>

If they choose to rebase upon stable branches, you could also cherry-pick.

>> There's also the release notes issue that has already been mentioned.
>> Still continuous release notes won't solve the problem, as you wouldn't
>> be able to map these to the actual packages. Will we require operators
>> to find from which git commit, the packages were built and then try to
>> figure
>> out which fixes are and are not included?
>
> Can you provide more detail? I'm not understanding the problem.
>

A release version makes it easy to know what fixes are shipped in a package.
If you rebase on stable branches, then you can just put the git sha1sum (though,
it's not very friendly) in the version, and leverage git branch
--contains to find out
if you fix is included.
Some distributors may choose to use their own release scheme, adding
complexity to
this simple but common problem.
Other may choose to cherry-pick which adds more complexity than the
previous scenario.

Let's say you're an operator and you want to check if a CVE is shipped
in all your nodes,
if you can't check with just the release version, it will be complicated.
It could be a barrier for heterogeneous systems

>> > Long version:
>> >
>> > At the "stable branch" session in Vancouver we discussed recent
>> > evolutions in the stable team processes and how to further adapt the
>> > work of the team in a "big tent" world.
>> >
>> > One of the key questions there was whether we should continue doing
>> > stable point releases. Those were basically tags with the same version
>> > number ("2015.1.1") that we would periodically push to the stable
>> > branches for all projects.
>> >
>> > Those create three problems.
>> >
>> > (1) Projects do not all follow the same versioning, so some projects
>> > (like Swift) were not part of the "stable point releases". More and more
>> > projects are considering issuing intermediary releases (like Swift
>> > does), like Ironic. That would result in a variety of version numbers,
>> > and ultimately less and less projects being able to have a common
>> > "2015.1.1"-like version.
>> >
>>
>> And that's actually a pain point to track for these releases in which
>> OpenStack branch belong. And this is probably something that needs to
>> be resolved.
>>
>> > (2) Producing those costs a non-trivial amount of effort on a very small
>> > team of volunteers, especially with projects caring about stable
>> > branches in various amounts. We were constantly missing the
>> > pre-announced dates on those ones. Looks like that effort could be
>> > better spent improving the stable branches themselves and keeping them
>> > working.
>> >
>>
>> Agreed, but why not switching to a time-based release?
>> Regularly, we tag/generate/upload tarballs, this could even be automated.
>> As far as I'm concerned, I would be more happy to have more frequent
>> releases.
>>
>> > (3) The resulting "stable point releases" are mostly useless. Stable
>> > branches are supposed to be always usable, and the "released" version
>> > did not undergo significantly more testing. Issuing them actually
>> > discourages people from taking whatever point in stable branches makes
>> > the most sense for them, testing and deploying that.
>> >
>> > The suggestion we made during that session (and which was approved by
>> > the session participants) is therefore to just get rid of the "stable
>> > point release" concept altogether for non-libraries. That said:
>> >
>> > - we'd still do individual point releases for libraries (for critical
>> > bugs and security issues), so that you can still depend on a specific
>> > version there
>> >
>> > - we'd still very much maintain stable branches (and actually focus our
>> > efforts on that work) to ensure they are a continuous source of safe
>> > upgrades for users of a given series
>> >
>> > Now we realize that the cross-section of our community which was present
>> > in that session might not fully represent the consumers of those
>> > artifacts, which is why we expand the discussion on this mailing-list
>> > (and soon on the operators ML).
>> >
>>
>> Thanks, I was not able to join this discussion, and that was the kind
>> of proposal
>> that I was fearing to see happen.
>>
>> > If you were a consumer of those and will miss them, please explain why.
>> > In particular, please let us know how consuming that version (which was
>> > only made available every n months) is significantly better than picking
>> > your preferred time and get all the current stable branch HEADs at that
>> > time.
>> >
>>
>> We provide both type of builds
>> * git continuous builds => for testing/CI and early feedback on potential
>> issues
>> * point-release based builds => for GA, and production
>>
>> Anyway, I won't force anyone to do something they don't want to do but I'm
>> willing to step in to keep point releases in one form or another.
>>
>> Regards,
>> H.
>>
>> > Thanks in advance for your feedback,
>> >
>> > [1] https://etherpad.openstack.org/p/YVR-relmgt-stable-branch
>> >
>> > --
>> > Thierry Carrez (ttx)
>> >
>> >
>> > __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>