[openstack-dev] [all] [stable] No longer doing stable point releases
Matthew Thode
mthode at mthode.org
Mon Jun 1 00:00:01 UTC 2015
On 05/31/2015 05:50 PM, Alan Pevec wrote:
> 2015-05-29 18:30 GMT+02:00 Jeremy Stanley <fungi at yuggoth.org>:
>> On 2015-05-29 16:30:12 +0100 (+0100), Dave Walker wrote:
>>> This is generally my opinion as-well, I always hoped that *every*
>>> commit would be considered a release rather than an arbitrary
>>> tagged date.
>> [...]
>>
>> If we switch away from lockstep major/minor release versioning
>> anyway (again separate discussion underway but seems a distinct
>> possibility) then I think the confusion over why stable point
>> releases are mismatched becomes less of an issue. At that point we
>> may want to reconsider and actually tag each of them with a
>> sequential micro (patch in semver terminology) version bump. Could
>> help in communication around security fixes in particular.
>
> Yes, if dropping stable point releases, sub-version schema is still
> needed for clear communication in OSSAs and proposed continuous
> releases notes.
> One issue is how would we provide source tarballs, statically hosting
> tarballs for each and every micro version is not realistic, also those
> wouldn't be signed.
> RPM packages traditionally expect pristine upstream tarballs which can
> be verified and generating them from git is not reproducible e.g.
> right now in nova stable/kilo branch:
> python ./setup.py sdist
> mv dist/nova-2015.1.1.dev20.tar.gz dist/nova-2015.1.1.dev20.tar.gz-TAKE1
> python ./setup.py sdist
> diff dist/nova-2015.1.1.dev20.tar.gz-TAKE1 dist/nova-2015.1.1.dev20.tar.gz
> Binary files dist/nova-2015.1.1.dev20.tar.gz-TAKE1 and
> dist/nova-2015.1.1.dev20.tar.gz differ
>
> Before dropping point releases, I would like to have:
> * idempotent sdist on the same SHA
> * dynamic tarball generation service like github archive
> * switch to micro-version i.e. current nova stable/kilo would be 2015.1.20
>
>
> Cheers,
> Alan
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
Generating tarballs from commit sha's isn't enough?
I'm personally thinking of installing a file somewhere that references
what commit hash the package was sourced from. I'm thinking of doing
weekly releases.
Tarball generation would be nice.
You will get different checksums with tar and/or gzip, you can check the
extracted files and they should be the same.
I would like to see signed commits in the 'official' repos (at
git.openstack.org), if only because relying on sha alone doesn't seem
enough for some.
--
Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150531/10d6fffc/attachment.pgp>
More information about the OpenStack-dev
mailing list