Skip to content

ADR0002: document deprecation strategy for current release series post 1.0 #1203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 24, 2020
Merged

ADR0002: document deprecation strategy for current release series post 1.0 #1203

merged 1 commit into from
Nov 24, 2020

Conversation

joshuagl
Copy link
Member

@joshuagl joshuagl commented Nov 9, 2020
edited
Loading

Description of the changes being introduced by the pull request:

Per the discussion in #1127 opt to support the old release on a best-effort
basis.

Please verify and check that the pull request fulfills the following
requirements:

  • The code follows the Code Style Guidelines
  • Tests have been added for the bug fix or new feature
  • Docs have been added for the bug fix or new feature

trishankatdatadog
trishankatdatadog reviewed Nov 9, 2020
View reviewed changes
Copy link
Member

@trishankatdatadog trishankatdatadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for documenting this, Joshua!

Do we have a policy for backporting security fixes?

@joshuagl
Copy link
Member Author

Do you think security fixes should be handled differently to what is proposed here? If so, what additional steps do you think the maintainers should commit to?

I'm absolutely open to input here, I'm just not sure what to propose we commit to.

@trishankatdatadog
Copy link
Member

Do you think security fixes should be handled differently to what is proposed here? If so, what additional steps do you think the maintainers should commit to?

I'm absolutely open to input here, I'm just not sure what to propose we commit to.

I think we should at least commit in writing to prioritizing and guaranteeing security fixes for Python 2, but nothing else. WDYT?

@joshuagl
Copy link
Member Author

Do you think security fixes should be handled differently to what is proposed here? If so, what additional steps do you think the maintainers should commit to?
I'm absolutely open to input here, I'm just not sure what to propose we commit to.

I think we should at least commit in writing to prioritizing and guaranteeing security fixes for Python 2, but nothing else. WDYT?

Prioritising and guaranteeing review/merge/release of security fixes seems reasonable. Is that what you're suggesting? Or did you mean to also suggest implementation of security fixes?

@trishankatdatadog
Copy link
Member

Prioritising and guaranteeing review/merge/release of security fixes seems reasonable. Is that what you're suggesting? Or did you mean to also suggest implementation of security fixes?

Both

@mnm678
Copy link
Contributor

mnm678 commented Nov 13, 2020

I think that we can reasonable commit to review and merge security fixes, but actually implementing the fixes may require more resources. To mitigate this, we can adopt a reporting strategy so that any users of the Python 2 implementation will be notified before any security issues become public, and will have a change to submit a patch.

@trishankatdatadog
Copy link
Member

I think that we can reasonable commit to review and merge security fixes, but actually implementing the fixes may require more resources. To mitigate this, we can adopt a reporting strategy so that any users of the Python 2 implementation will be notified before any security issues become public, and will have a change to submit a patch.

If someone else privately reports a security issue to us, then we could ask them to submit a patch, too. But what if we find the issue ourselves?

@lukpueh
Copy link
Member

lukpueh commented Nov 20, 2020
edited
Loading

Why the change of heart, @trishankatdatadog?

@joshuagl already described the strategy proposed here in #1127 (comment), and you seemed to deem it reasonable. (#1127 (comment)).

I admit that in the original proposal the best-effort basis sounded a bit more optimistic ...

  • that we will review any functional bug and security fixes proposed to the branch (PRs)
  • that severe security issues and functional bugs will be addressed on a best effort basis
  • that we will release updates with any generated fixes in a timely fashion

... than it does now ...

Bugs reported with tuf versions prior to 1.0.0 will likely not be addressed directly by tuf’s maintainers.

But I think the essence is the same.

lukpueh
lukpueh reviewed Nov 20, 2020
View reviewed changes
Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for the great write-up, @joshuagl! In #1127 you talked about:

a deprecation strategy for the current release series [...] and
a deprecation/API stability strategy for releases after the refactor.

IIUC this document only addresses the former. Would you mind clarifying the distinction in the title (and maybe document name)?

@trishankatdatadog
Copy link
Member

Why the change of heart, @trishankatdatadog?

Sorry, what change of heart?

@lukpueh
Copy link
Member

lukpueh commented Nov 21, 2020

Sorry, what change of heart?

Oh, apologies, I missed an important pronoun in my comment above.

I was just curious why you now wanted to commit to more (#1203 (comment)) than what @joshuagl had already described in #1127 (comment), which you seemed to deem reasonable (#1127 (comment)).

@trishankatdatadog
Copy link
Member

I was just curious why you now wanted to commit to more (#1203 (comment)) than what @joshuagl had already described in #1127 (comment), which you seemed to deem reasonable (#1127 (comment)).

I see. Yes, I still agree. I just think it's important to clearly state we should make an exception for security fixes, just like Python 2... until I saw that, nope, they don't guarantee security fixes either. Huh, wow. If that's the case, it may not be a terrible precedent. May encourage people to seriously upgrade. Not a bad idea. I know we're a more security-based project, but that doesn't mean we have to support everything forever. Ok, let's stick to the original plan.

sechkova
sechkova reviewed Nov 23, 2020
View reviewed changes
docs/adr/0002-deprecation-strategy.md Outdated

We plan to refactor the reference implementation significantly and, as part of
that effort, drop support for no-longer maintained versions of Python
(see ADR 0002).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be a reference to ADR 0001

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely right, good catch!

@joshuagl joshuagl changed the title ADR0002: document deprecation strategy post 1.0 ADR0002: document deprecation strategy for current release series post 1.0 Nov 23, 2020
@joshuagl
Copy link
Member Author

Thank you all for continuing the discussion in my absence.

Many thanks for the great write-up, @joshuagl! In #1127 you talked about:

a deprecation strategy for the current release series [...] and
a deprecation/API stability strategy for releases after the refactor.

IIUC this document only addresses the former. Would you mind clarifying the distinction in the title (and maybe document name)?

Well spotted, thank you for the thorough review. I've pushed a fixup commit 8685898 which renames the document and changes the document title.

lukpueh
lukpueh requested changes Nov 24, 2020
View reviewed changes
Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update link, other than that LGTM! :)

docs/adr/index.md Outdated
@@ -6,6 +6,7 @@ This log lists the architectural decisions for tuf.

- [ADR-0000](0000-use-markdown-architectural-decision-records.md) - Use Markdown Architectural Decision Records
- [ADR-0001](0001-python-version-3-6-plus.md) - Default to Python 3.6 or newer for new development
- [ADR-0002](0002-deprecation-strategy.md) - Deprecation strategy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [ADR-0002](0002-deprecation-strategy.md) - Deprecation strategy
- [ADR-0002](0002-pre-1-0-deprecation-strategy.md) - Deprecation strategy

@joshuagl
ADR0002: document deprecation strategy post 1.0
35177fb 
Per the discussion in theupdateframework#1127 opt to support the old release on a best-effort
basis.

Signed-off-by: Joshua Lock <[email protected]>
@lukpueh
Copy link
Member

lukpueh commented Nov 24, 2020

Thanks for the updates, @joshuagl. No need to wait for appveyor here. Merging...

@lukpueh lukpueh merged commit 3050252 into theupdateframework:develop Nov 24, 2020
@joshuagl joshuagl deleted the joshuagl/adr2 branch November 24, 2020 15:52
@joshuagl joshuagl mentioned this pull request Nov 25, 2020
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sechkova sechkova sechkova left review comments

@lukpueh lukpueh lukpueh approved these changes

@trishankatdatadog trishankatdatadog trishankatdatadog approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@joshuagl @trishankatdatadog @mnm678 @lukpueh @sechkova