Opened at 2011-07-28T04:07:58Z
Last modified at 2021-03-30T18:41:12Z
#1452 new defect
clarify policy about what versions of dependencies Tahoe-LAFS requires — at Version 5
Reported by: | zooko | Owned by: | somebody |
---|---|---|---|
Priority: | major | Milestone: | soon |
Component: | packaging | Version: | 1.8.2 |
Keywords: | packaging setuptools exocet testing | Cc: | |
Launchpad Bug: |
Description (last modified by zooko)
There are conflicting ideas about how tight to make the requirements Tahoe-LAFS should place on dependencies (in src/allmydata/_auto_deps.py). One way to do it would to be require versions of dependencies which we know work with Tahoe-LAFS (i.e. they don't have any critical bugs that are triggered by the way Tahoe-LAFS uses them nor fatal incompatibilities with Tahoe-LAFS or other code that Tahoe-LAFS uses). This would be the tightest policy. The other extreme—the loosest policy—is to allow any version unless we know for sure that particular version has a critical bug or incompatibility.
I personally find it a bit dubious if we specify that Tahoe-LAFS requires a version of Package X greater than or equal to Version N, if we don't have any buildbots that have Version N installed. To me that sounds like we are claiming that Tahoe-LAFS will work with Version N of Package X, but making that claim without reproducible evidence that it is true. On the other hand we can just rely on the absence of any bug reports from the field which can be traced to a bug or incompatibility in some version of one of our dependencies.
One possible future improvement would be to automate the testing of Tahoe-LAFS combined with different versions of dependencies. The exocet tool looks like it might facilitate that sort of work: Exocet: A Second Look
In the meantime, let's write down a policy on our Wiki and close this ticket.
Another option would be to choose a set of operating systems/distributions that we think we should support and specify the versions of the dependencies which are provided in those. Currently we have the following operating systems/distributions in the Supported Builders category of our buildbot herd: Windows 7 x86_64, Debian 5 "Lenny" ("obsolete stable") x86_64, Ubuntu 10.04 "Lucid" x86_64, Ubuntu 10.10 "Maverick" x86_64, Debian 5 "Lenny" ("obsolete stable") x86, FreeBSD 8.2 x86_64, OpenBSD 4.8 x86_64, NetBSD 5 x86, CentOS 5 (RedHat 5.6) x86, Windows XP 5.1 SP 3 x86.
Change History (5)
comment:1 Changed at 2011-07-28T04:09:16Z by zooko
- Description modified (diff)
comment:2 Changed at 2011-07-28T04:16:56Z by zooko
comment:3 Changed at 2011-07-28T11:15:43Z by gdt
This ticket conflates two issues: how to get test/buildbot coverage over all possible set of legitimate dependencies, and what to express in policy. I think the policy issues are pretty standard and straightforward:
A dependency package's version has two separate constraints:
- minimum version M, below which reports of trouble are summarily closed as WONTFIX
- frequently tested version T, below which there might be trouble because of lack of testing
- (possibly) highest version H believed to work, because >H is too bleeding edge
The response to a problem with x, M <= x < T, would be to take a clean patch if it doesn't break anything, maybe to spend a few minutes thinking about it, and maybe to incrnease M to higher than X.
M should always be a version that's been released for a year, absent special circumstances, one of which is that it's comaintained with trac and not used by much of anything else.
Beyond that, sure it would be great if there were buildbots that install various versions of dependencies.
comment:4 Changed at 2012-03-29T16:11:32Z by zooko
- Priority changed from critical to major
comment:5 Changed at 2013-10-10T19:34:25Z by zooko
- Description modified (diff)
Okay, I believe that what we're going to do is this:
We don't change the dependency version requirements (in _auto_deps.py) unless something forces us to change them. That's because we're lazy, and not making changes is easier and less disruptive than making changes.
However, this means that what is written in _auto_deps.py is not an assertion on our part that these versions of the deps will function and be secure. Instead, it is just a record of the fact that nobody has shown us a problem with them that forced us to update them. In particular, we aren't making any particular effort to test with the older versions that we list as the minimum required versions.
So, to close this ticket, write this policy down somewhere, possibly just in a comment in _auto_deps.py, and then link to the patch that documents our policy and close this ticket.
I posted about this to tahoe-dev: http://tahoe-lafs.org/pipermail/tahoe-dev/2011-July/006594.html