Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Leaf: Clarify the prerelease-flag #75

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Conversation

oej
Copy link
Collaborator

@oej oej commented Nov 18, 2024

Close #44

Close CycloneDX#44

Signed-off-by: Olle E. Johansson <oej@edvina.net>
@oej oej requested a review from madpah November 18, 2024 12:51
@oej
Copy link
Collaborator Author

oej commented Nov 18, 2024

Ping @vpetersson

Comment on lines 28 to 29
The Prerelease flag is used to indicate that this is not a final release. For a given Leaf with a UUID, the flag
can be set to indicate a "test", "beta", "alfa" or similar non-deployed release. It can only be set when

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we stress the fact that this applies to non-deployed releases, regardless of the naming.

For example org.apache.logging.log4j:log4j-core:3.0.0-beta3 does not count as pre-release, since we are not allowed by Maven Central to modify it.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would definitely set something named "-beta3" as a prerelease. If you modify something, that's always a new release with a new leaf. Maybe we need to be clearer in the text.

The thing with the flag change was that in some cases a pre-release is upgraded to final release after testing, without ANY changes. That's just another release behaviour.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The concept of "pre-release" will mean different things to different parties:

  • Maven: As per example from @ppkarwasz - it was published; it cannot be modified; it is not intended for use in Production systems
  • COTS: E.g. Windows Server 3030 RC (fictitious) - it was published; it cannot be modified; it is not intended for use in Production systems

For me both these examples would be considered as pre-releases by their Manufacturers.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have had long discussions about this before, but can of course restart if needed.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only point really is that our definition is not clear in the docs we have. Not that it hasn't been discussed already 😉

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some thoughts on this:

  • We need to be dynamic here -- in some workflows per-releases will not be published, but in other workflows they will (e.g. promoted). Thus, as long as we allow for PATCHing the LEAF to toggle this boolean, we should be good and cover both workflows.
  • NIT: s/alfa/alpha/g and s/prerelease/pre-release/g

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does everyone agree with @vpetersson's conclusion? Does that work for you @ppkarwasz?

I think we still need to add wording to clarify in Docs.

Copy link
Collaborator Author

@oej oej Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like we have a conclusion. What text is needed to clarify more? I tried to be bit fuzzy in the text to not hardcode to a specific example. The flag is meant as a warning to not use this release. We can rename it to "not-recommended" or something along those lines to avoid the discussions about all variants of "beta", "pre-release", "test-release" etc. Just have a marker that the vendor do not recommend using this in production.

We will need a similar flag for when a release is considered dangerous because it contains a vulnerability that's fixed in another release.

tea-leaf/tea-leaf.md Outdated Show resolved Hide resolved
@@ -16,12 +16,23 @@ a timestamp for a release is required.

## The Leaf Object

- __UUID__ unique for this object
- __Uuid__ unique for this object
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've called this an identifier (which is of type UUID) in the OpenAPI Spec - we need to align in either direction.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can align in a later request

tea-leaf/tea-leaf.md Outdated Show resolved Hide resolved
tea-leaf/tea-leaf.md Outdated Show resolved Hide resolved
tea-leaf/tea-leaf.md Outdated Show resolved Hide resolved
tea-leaf/tea-leaf.md Outdated Show resolved Hide resolved
Signed-off-by: Paul Horton <paul.horton@owasp.org>
Signed-off-by: Paul Horton <paul.horton@owasp.org>
Signed-off-by: Paul Horton <paul.horton@owasp.org>
Signed-off-by: Paul Horton <paul.horton@owasp.org>
Signed-off-by: Paul Horton <paul.horton@owasp.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Can you promote a pre-release leaf?
4 participants