Geode dependency update process
To be Reviewed By: August 28th, 2019
Authors: Nick Vallely
Status:Draft | Discussion | Active | Dropped | Superseded | Onhold
Superseded by: N/A
Related: N/A
Problem
We recently updated the dependencies for the log4j version used in Geode to keep up with Spring Boot Data Geode's logging dependencies. As far as I know, we do not have a process to keep dependencies up to date or regularly scheduled updates to them. Currently, I believe this is handled ad-hoc which hasn't necessarily caused any major issues but could.
Anti-Goals
Solution
Directly after GA release of Geode minor version:
The release manager for the most recently released version of Geode would review any dependencies in the Geode project (presumably this will/could be automated).
- For a minor release, only minor version dependency updates should be considered
- For a major release, major versions should be considered
The release manager would submit a PR to update dependencies and then the community should pitch in to tackle any subsequent issues that arise from the updating of dependencies. *Note the first time this happens maybe painful*
In-between releases:
We keep doing what we are doing:
- Ad-hoc dependency updates as necessary
When a new release manager is chosen:
The release manager would send out an email as the last call for dependency updates that would coincide with a proposed release branch cut date. This would give everyone a reminder that if they need to update a dependency prior to the release there is limited time left in order to do so.
Changes and Additions to Public Interfaces
n/a
Performance Impact
Potentially a new version of a dependency could cause a performance impact and we should run a performance test suite on the recently released version vs the updated dependency version
Backwards Compatibility and Upgrade Path
In a minor release, minor version dependency updates shouldn't cause compatibility issues.
Prior Art
What would be the alternatives to the proposed solution? What would happen if we don’t solve the problem? Why should this proposal be preferred?
If we continue to do this ad-hoc, there is a greater likelihood of CVE's or mismatching versions of conflicts between Geode and dependent projects.
FAQ
Answers to questions you’ve commonly been asked after requesting comments for this proposal.
Errata
What are minor adjustments that had to be made to the proposal since it was approved?