Cosign versioning policy: make one and enforce it #2518

znewman01 · 2022-12-06T23:52:21Z

See Proposal: Cosign Versioning and #2365

Addresses (does not fix) sigstore#2518. This follows [Proposal: Cosign Versioning][versioning-proposal], which in turn follows sigstore#2365. After getting approval on this PR, I will update sigstore#2518 to include a checklist containing the following (possibly linking to separate bugs): - [ ] (docs) Communicate the new version policy to Cosign users. - [ ] (process/CI) Separate CLI and API releases (with different tagging schemes). - [ ] (process/CI) Use gorelease or similar to catch breaking API changes. - [ ] (code) Add library support for deprecations (see also sigstore#2510) - [ ] (testing) E2E testing for old Cosign versions (Also client libraries, once they're stable). [versioning-proposal]: https://docs.google.com/document/d/1urWUPhtzXKWqL9CoaEw4Z35v5IDl9yrTRQ40XlYekOo/edit# Signed-off-by: Zachary Newman <[email protected]>

* Add versioning policy. Addresses (does not fix) #2518. This follows [Proposal: Cosign Versioning][versioning-proposal], which in turn follows #2365. After getting approval on this PR, I will update #2518 to include a checklist containing the following (possibly linking to separate bugs): - [ ] (docs) Communicate the new version policy to Cosign users. - [ ] (process/CI) Separate CLI and API releases (with different tagging schemes). - [ ] (process/CI) Use gorelease or similar to catch breaking API changes. - [ ] (code) Add library support for deprecations (see also #2510) - [ ] (testing) E2E testing for old Cosign versions (Also client libraries, once they're stable). [versioning-proposal]: https://docs.google.com/document/d/1urWUPhtzXKWqL9CoaEw4Z35v5IDl9yrTRQ40XlYekOo/edit# Signed-off-by: Zachary Newman <[email protected]> * Reword private-by-default for Sigstore API Signed-off-by: Zachary Newman <[email protected]> * Minor rewordings Signed-off-by: Zachary Newman <[email protected]> * Another minor rewording Signed-off-by: Zachary Newman <[email protected]> Signed-off-by: Zachary Newman <[email protected]>

znewman01 · 2023-01-17T13:30:35Z

In order to enforce a versioning policy, we need to do the following:

(docs) Communicate the new version policy to Cosign users.
(process/CI) Separate CLI and API releases (with different tagging schemes).
(process/CI) Use gorelease or similar to catch breaking API changes.
(code) Add library support for deprecations (see also Inappropriate printing to STDOUT #2510)
(testing) E2E testing for old Cosign versions (Also client libraries, once they're stable).

ivanayov · 2023-03-06T14:45:27Z

Can I work on library support for deprecations?

znewman01 · 2023-03-12T17:32:50Z

That would be great @ivanayov !

I'd recommend approaching it as follows:

add a Deprecated function somewhere in internal that takes parameters for deprecated date, GH issue, feature description, and recommended alternative that outputs a message (via ui.Warn) like

is deprecated and will be removed in a Cosign release shortly after . Instead, please .

See for details.

This should be pretty easy and can be done ASAP.
add a new linter to golangci-lint (reference) that checks that all calls to Deprecate have a proper date and GitHub issue and a GitHub actions workflow that pings the GitHub issue when the date is coming back

* Add versioning policy. Addresses (does not fix) sigstore#2518. This follows [Proposal: Cosign Versioning][versioning-proposal], which in turn follows sigstore#2365. After getting approval on this PR, I will update sigstore#2518 to include a checklist containing the following (possibly linking to separate bugs): - [ ] (docs) Communicate the new version policy to Cosign users. - [ ] (process/CI) Separate CLI and API releases (with different tagging schemes). - [ ] (process/CI) Use gorelease or similar to catch breaking API changes. - [ ] (code) Add library support for deprecations (see also sigstore#2510) - [ ] (testing) E2E testing for old Cosign versions (Also client libraries, once they're stable). [versioning-proposal]: https://docs.google.com/document/d/1urWUPhtzXKWqL9CoaEw4Z35v5IDl9yrTRQ40XlYekOo/edit# Signed-off-by: Zachary Newman <[email protected]> * Reword private-by-default for Sigstore API Signed-off-by: Zachary Newman <[email protected]> * Minor rewordings Signed-off-by: Zachary Newman <[email protected]> * Another minor rewording Signed-off-by: Zachary Newman <[email protected]> Signed-off-by: Zachary Newman <[email protected]>

znewman01 added the bug Something isn't working label Dec 6, 2022

znewman01 self-assigned this Dec 6, 2022

znewman01 mentioned this issue Dec 7, 2022

Add versioning policy. #2519

Merged

5 tasks

znewman01 assigned ivanayov Mar 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cosign versioning policy: make one and enforce it #2518

Cosign versioning policy: make one and enforce it #2518

znewman01 commented Dec 6, 2022

znewman01 commented Jan 17, 2023

ivanayov commented Mar 6, 2023

znewman01 commented Mar 12, 2023

Cosign versioning policy: make one and enforce it #2518

Cosign versioning policy: make one and enforce it #2518

Comments

znewman01 commented Dec 6, 2022

znewman01 commented Jan 17, 2023

ivanayov commented Mar 6, 2023

znewman01 commented Mar 12, 2023