When can we expect stability?

[codysoyland]

Description

I noticed that #36 includes breaking changes (including field renumbering 😬 ), and both the bundle mediaType (0.1) and the directory version (v1) remain the same.

Note that sigstore-js is using these protobuf files, as is our internal Go code at GitHub, and we have already begun building systems that are storing detached bundles. These changes are painful, as we not only need to build client support for these changes, but also migrate data to accommodate them.

I understand this format is in some state of flux, but I would like to see us establish some rigor for dealing with changes to the message schema, such as leaving messages in a deprecated state, preserving field numbers, and incrementing versions. If now is not the time, can we set some expectations now, as the README does not clarify that we aren't.

Perhaps new changes could enter an alpha directory, which will eventually be renamed v2? I'm not sure the best way to go forward, but I'd really like to avoid another breaking change.

Version

[woodruffw]

I'm sorry about any breakage I caused 😬

I made those changes under the operating assumption that nobody was actually deploying these formats yet, given that there haven't actually been any tagged releases (other that a "smoke test" alpha release on PyPI).

As a contributor: I'm okay with either bumping to v2 for these changes or explicitly signalling in the README that things are in flux. I'll leave it up to the maintainers here to decide what they'd prefer...

[haydentherapper]

I would prefer we don't switch to a v2 yet.
Do we want to have a review next week to try to stabilize the current specs? Let's triage any open issues, decide what's critical, implement or fix, and then cut v1 as a stable release?

[codysoyland]

I'm sorry about any breakage I caused 😬

No worries -- your patch was a great contribution, and that was totally a reasonable assumption to make.

I'm happy to help triage and help with any stability efforts, as I think several of us are eager to start operationalizing these formats.

[kommendorkapten]

@woodruffw don't feel bad, I was very aware of this being a breaking change, and I work with @codysoyland on this at GitHub :)

I'm with @haydentherapper on not making this a "stable release" yet. Meeting early next week works for me too, if we can find a time that suits us all 😄

[kommendorkapten]

And for context, even though there is a v1 package and 0.1 version, my understanding is that this is development version and yet to be released, as there is no tag. Sure, we could have made this more obvious by calling the package dev or something. So I would not consider the content in this repo stable until a tag is added, and then we can update main to have a new package name to indicate that this is work in progress.

[codysoyland]

Okay, I misunderstood, and I see that #6 is kind of a duplicate, so I'll close this. Thanks!