[keycloak-dev] Node.js adapter releases

Stian Thorgersen sthorger at redhat.com
Tue Apr 12 09:37:21 EDT 2016 

On 12 April 2016 at 15:24, Luke Holmquist <lholmqui at redhat.com> wrote:

>
>
> On Tue, Apr 12, 2016 at 12:29 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Having the same version makes it much easier for people to grab a version
>> they know works with a specific Keycloak version. It also makes it simpler
>> when we release.
>>
>> Keycloak has a 6 week release cadence
>>
> While this probably works most of the time,  i'm wondering what happens,
> for example, if in the node.js adapter there is a security vulnerability in
> one of the dependent packages that is discovered a couple days after a
> release,  would you then need to create a new release of all of Keycloak?
>  that is fine, i'm just wondering if thats what would happen since that
> could be a real possibility.  so for an issue like this:
> https://issues.jboss.org/browse/KEYCLOAK-2798. a full keycloak release
> would need to happen then?
>

It depends on the severity of the vulnerability. If it's critical a minor
release will be done (of everything) asap. Bugs and improvements will not
be pushed out more frequently than 6 weeks.


>
> *everything i said above only applies if that node adapter is a full class
> citizen,  obviously "community" things are different *
>

The aim is to make the nodejs adapter a full class citizen soon :)


>
>
>
>> and adapters shouldn't be released more frequently. Rather they should be
>> released at the same time as the server and by the same release job in
>> Jenkins.
>>
>> To become a first class citizen an adapter has to:
>>
>> * Release at same time as Keycloak server (every ~6 weeks). We test and
>> release everything as a bundle and don't have the resources to maintain
>> separate release cycles. I also want all adapters to be consistent here.
>> * Documentation - we're going to have a adapters documentation, it will
>> have a separate chapter for each adapter. Each adapter chapter will have a
>> getting started and a reference/developer guide. There's also need for the
>> relevant api docs in whatever format is most popular for a specific language
>> * Examples - not sure where these will live. Maybe all examples for all
>> adapters are in one repo
>>
>> Any changes to the above has to be raised. If you really want to discuss
>> that then send a generic message to keycloak-dev list, basically don't
>> include NodeJS in the title ;).
>>
>> On 11 April 2016 at 20:27, Lance Ball <lball at redhat.com> wrote:
>>
>>> I agree that keeping version numbers consistent might be questionable.
>>> There is the big bump as Bruno notes, but also the npm modules need to be
>>> able to publish in the absence of a keycloak release in the event that
>>> there are bugs which need to be addressed in an adapter but not in keycloak
>>> itself - e.g. https://issues.jboss.org/browse/KEYCLOAK-2798.
>>>
>>> Lance
>>>
>>> On Mon, Apr 11, 2016 at 2:21 PM, Bruno Oliveira <bruno at abstractj.org>
>>> wrote:
>>>
>>>> +1 for consistency and release dates. But I'd keep the release version
>>>> independent, move from 0.0.16 to 1.9.2 for example, is a huge bump.
>>>>
>>>> On Mon, Apr 11, 2016 at 1:43 PM Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> We discussed this at the f2f and I believe we should keep it
>>>>> consistent across all adapters.
>>>>>
>>>>> The decision was to have all adapters released when the server is
>>>>> released and they will have the same version numbers. We will also make
>>>>> sure release notes mark which adapters have changed and also which are
>>>>> required to update (either due to compatibility changes or security related
>>>>> fixes).
>>>>>
>>>>> So I'd like the ability to release nodejs adapters at the same time I
>>>>> do the release of the server.
>>>>>
>>>>> We can certainly discuss changes to the above, but it should be
>>>>> consistent for all our adapters.
>>>>> On 11 Apr 2016 17:09, "Bruno Oliveira" <bruno at abstractj.org> wrote:
>>>>>
>>>>> Good morning,
>>>>>
>>>>> Today I was chatting with Lance about the release cadence for Node.js
>>>>> adapters.
>>>>>
>>>>> My initial idea was to release the adapters at exactly the same
>>>>> release dates as the official Keycloak release in order to guarantee
>>>>> compatibility. For critical/urgent patches, we just release those modules
>>>>> based on our judgment.
>>>>>
>>>>> Lance would like more flexibility between those releases. For example,
>>>>> release npm modules before the official release for situations where a user
>>>>> wants some new capability that is perhaps unrelated to changes in KC
>>>>> itself e.g. a move to promises.
>>>>>
>>>>> I don't have any problems on keeping Node.js adapters' release
>>>>> independent from official KC release, but would like to hear more opinions
>>>>> about it.
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>> -
>>>>> abstractj
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160412/a75f9c3a/attachment-0001.html

More information about the keycloak-dev mailing list