On 1/20/21 6:42 PM, Ghanshyam Mann wrote:
I am still not convinced how 'removal of indirect deps from l-c' make 'Know the lower bounds of openstack packages' better? I think it makes it less informative than it is currently. How we will know the lower bound for indirect deps?
I do not expect OpenStack upstream to solve that problem.
Do not packagers need those
We may, but this is studied for each direct dependency one by one. I see no point trying to solve indirect dependency version bounds, as it's up to each direct dependency to test them.
In general, my take here as an upstream maintainer is that we should ship the things completely tested/which serve the complete planned mission. We should not ship/commit anything as half baked. And we keep such things open as one of the TODO if anyone volunteers to fix it.
What was completely wrong was, a few years from now, shipping artificially inflated lower bounds, like, expressing that each and every projected needed the very last version for all oslo library, which was obviously not the case. The lower bound testing was trying to address this. Not indirect dependencies, which IMO is completely out of scope. However, when testing a lower bound for a direct dependency, you may need a lower version of an indirect dependency, and that's where it becomes tricky. Cheers, Thomas Goirand (zigo)