-
-
Notifications
You must be signed in to change notification settings - Fork 603
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update revision-pinned dependencies to release #2315
Comments
Updated to mark |
Could you provide a rational for only using release versions instead of commits? Often we need to make changes to upstream libraries which would then be blocked on waiting for a new release including that change to be made. |
@rolandshoemaker I don't think we need to stop the practice of pinning to a commit when we're waiting on upstream libraries to include changes we need, I just think that should be a documented event and we should aim to be using releases for everything else. I think it makes it easier to stay on top of security updates in upstream libraries this way. Does that make sense? |
Yup, works for me. |
This commit updates the cactus `go-statsd-client` to the 2.0.2 release tag. Note: the most recent release is 3.1.0 but the introduction of substatter support in 3.0.0 changes the `Statter` interface we rely on in the boulder metrics package. We should consider follow-up work to refactor our metrics code to be compatible with the 3.x releases. Relates to #2315.
Our |
We're pinned to |
I can ping upstream for github.com/jmhodges/clock. |
Upstream Clock now has a v1.1. |
This commit updates the cactus `go-statsd-client` to the 2.0.2 release tag. Note: the most recent release is 3.1.0 but the introduction of substatter support in 3.0.0 changes the `Statter` interface we rely on in the boulder metrics package. We should consider follow-up work to refactor our metrics code to be compatible with the 3.x releases. Relates to #2315.
Added a comment for |
RE: the merged Prometheus client update, from @jsha:
|
Added PKCS11Key to the list with #2369 |
I ran Boulder through
glide-report -no-color
to try and identify dependencies we are pinning to a revision instead of a release, or have fallen behind from the latest release.The following imports were all "Using development revision between Semantic Version releases":
go-statsd-client
to 2.0.2. #2343git.luolix.top/cloudflare/cfssl- there is a WIP branch for this, Update cfssl, CT, and OCSP dependencies #2170go-sql-driver
dep to tip of master. #2344clock
to v1.1. #2353git.luolix.top/letsencrypt/go-safe-browsing-api- rather than update this fork we should solve this one by implementing Switch to Google's Safe Browsing implementation #1863google.golang.org/grpc
to v1.0.3. #2359git.luolix.top/matttproud/golang_protobuf_extensions (Note: Transitive import)- the only release for this library is v1.0.0. Since only two minor commits have been added since then it doesn't seem worth asking for a v1.0.1 release.For each of the above, we should either the update the dependency (following the
CONTRIBUTING.md
process!) to a semantic version release, or document why we are pinned to a specific development revision.The text was updated successfully, but these errors were encountered: