On Wed, Jun 6, 2018 at 8:14 PM Kenneth Knowles <klk@xxxxxxxxxx
I like the spirit of these policies. I think they need a little wording work. Comments inline.
Who is responsible for generating these? The mechanism or responsibility should be made clear.
I clicked through a doc -> thread -> doc to find even some details. It looks like manual run of a gradle command was adopted. So the responsibility needs an owner, even if it is "unspecified volunteer on dev@ and feel free to complain or do it yourself if you don't see it"
This is described in following doc (referenced by my doc).
Proposal is to run an automated Jenkins job that is run weekly, so no need for someone to manually generate these reports.
I think the big "should" works better with some guidance about when something might be an exception, or at least explicit mention that there can be rare exceptions. Unless you think that is never the case. If there are no exceptions, then say "must" and if we hit a roadblock we can revisit the policy.
The idea was to allow exceptions. Added more details to the doc.
How is "significantly outdated" defined? By dev@ discussion? Seems like the right way. Anyhow that's what will happen in practice as people debate the blocker bug.
This will be either through the automated Jenkins job (see the doc above, where the proposal is to flag new major versions and new minor versions that are more than six months old) or manually (for any critical updates that will not be captured by the Jenkins job) (more details in the doc). Manually identified critical dependency updates may involve a discussion in the dev list.
With Maven, this involved a lot of boilerplate so I never did it. With Gradle, we can easily build a re-usable rule to create such a package in a couple of lines. I just opened the first WIP PR here: https://github.com/apache/beam/pull/5570
it is blocked by deleting the poms anyhow so by then we should have a configuration that works to vendor our currently shaded artifacts.
So I think this should be rephrased to "should be vendored" so we don't have to revise the policy.
Thanks for the pointer. I agree that vendoring is a good approach.
Here are the updated policies (and more details added to doc). I agree with Ahmet's point that votes should be converted to web sites where we can give more details and examples.
(1.a) Human readable reports on status of Beam dependencies are generated weekly by an automated Jenkins job and shared with the Beam community through the dev list.
(2.a) Beam components should define dependencies and their versions at the top level. There can be rare exceptions, but they should come with explanations.
(3.a) A significantly outdated dependency (identified manually or through the automated Jenkins job) should result in a JIRA that is a blocker for the next release. Release manager may choose to push the blocker to the subsequent release or downgrade from a blocker.
(4.a) Dependency declarations may identify owners that are responsible for upgrading the respective dependencies.
(5.a) Dependencies of Java SDK components that may cause issues to other components if leaked should be vendored.