Decide on deprecation strategy #1127
Comments
lukpueh
added
the
discussion
joshuagl
added
the
documentation
lukpueh
added
the
decision record
|
There's also a difference between accepting bug and security fixes, and making releases that include them, and actually fixing bugs and addressing security issues. I don't think we have the resources to maintain two versions of the codebase, so I'd like us to end up on a path that means that once the refactor is complete we delete the old code and forget about it ASAP. I'm absolutely in favour of defining and adhering to a stricter release schedule and having a deprecation strategy so that we aren't removing API without warning. |
|
I agree that we want to focus our efforts on the new code. I'd propose that we continue to review bugs and security fixes for some period of time (maybe a year), and possibly contribute security patches during this time. Then, if anyone still really needs that code, they could fork and maintain themselves so that we can focus on the new version.
Even if we don't have a strict schedule, we should have some way to communicate to users when the API will change (maybe something like tap 14, but for the API) |
|
I think we need both a deprecation strategy for the current release series (particularly as we expect the refactor to do away with support for older Python versions), and a deprecation/API stability strategy for releases after the refactor. For the current release series, I think what would make most sense is to focus any maintenance efforts on the client. That is the piece of the current series which is most difficult to upgrade (repository owners can switch to Python3 easily but might not be able to influence repository users to make the same upgrade). One strategy for the client might be to create a branch of the repository which removes all of the non-client code and commit to maintain that for at least one year. I'd propose the maintenance strategy clearly define expectations:
I think it might also make sense to have that branch produce a separate PyPI package for the Python2 supporting client which is clearly marked (on PyPI) as not actively adding new features and only supporting Python 2.7. |
pip's deprecation of Python 2.7 phrases this quite nicely
|
|
Agreed. We have finite resources, and this is a reasonable policy. |
Per the discussion in theupdateframework#1127 opt to support the old release on a best-effort basis. Signed-off-by: Joshua Lock <[email protected]>
Per the discussion in theupdateframework#1127 opt to support the old release on a best-effort basis. Signed-off-by: Joshua Lock <[email protected]>
Does anyone have any opinions on API stability/deprecation policy? Python has a policy of annual releases (PEP 602) with a promise of "at least two releases before a deprecated feature is removed from Python or a I don't think that's an exact model for us to follow, two years sounds like a long time for a small team to maintain deprecated API. However, waiting at least a couple of releases with the API being marked as obsolete/deprecated before it's actually removed seems reasonable. Related to a proposed deprecation policy, we might also want to think about release schedule:
I think we have three questions to answer and document:
|
This sounds like possibly a bad idea. You already mentioned the confusion on minor number, but also: Software version should reflect changes in the software. Major changes to the software may be required without any changes to the spec. Also, as a thought exercise I can imagine a spec revision that is in some way incompatible with previous version, but that the following python-tuf releases supported both versions of the spec in some manner (like possibly the client could work as spec v1 client and spec v2 client).
Does this need to be documented? Your proposal of "Planned maximum release cadence of 3 months" sounds good but as you said this follows from dependency changes so could change over time...
This is very tied to the question what is our API? Currently this is not really defined and then it's quite hard to make promises about supporting the API... This also ties into publishing the documentation: I like some level of documentation for all functionality but once it's on readthedocs or something, the internal functionality should be clearly marked as such if it's published at all. Sorry, no great answers to the actual question... |
👍
Perhaps not. The reason I suggested it is because I thought that promising to not remove deprecated API for two releases probably isn't very meaningful unless those release map to some notion of time. If we make two releases in two weeks, then remove the deprecated API that won't be very useful. Maybe this just indicates that any deprecation policy should include a notion of time?
Which suggests we might want to consider this before 1.0, where the deprecation policy would apply, but after we've done some more of the development work and have a better idea of what we're committing to. |
|
Part 1 of this issue (deprecation of "legacy" implementation) has been formalized in ADR 2 and finalized with the release of 1.0.0. Do we want to have a written statement for future deprecation? (see 2nd paragraph in issue description above) |
|
I think we should have a deprecation strategy where warnings are added (at least to release notes) before the change... But it's not something I would document very strictly: API removal/change situations are so different and hard to estimate. In other words I'm not sure if we can be more specific than "we aim to not break existing code without warning at least a release before". That feels like what any reasonable 1.0 library would do so maybe it doesn't need to be stated? |
|
Agreed. I think the commitment to semver along with an initial stable release already goes a long way. |
|
Maybe @joshuagl also wants to weigh in? Otherwise I suggest to close this issue. |
|
Let's file a new, more specific, issue if we decide we want to change anything. |
The current plan is to develop the new TUF alongside the old TUF (see #1126).
How long after the refactor is complete will we continue to support the old code base? What does support look like? Bug fixes? Security fixes? We need a roadmap there. The main reason to keep the old code base around is to have a client that supports Python 2.7 (see #1125). Not sure if this is a good reason for very much longer.
Independently of the refactor, we might generally want to think of a deprecation strategy for the future. E.g. do we want to display deprecation warnings for n releases before we drop interface functions? This probably only makes sense if we follow a stricter release schedule than we do now.
The text was updated successfully, but these errors were encountered: