6:53 a.m.
Adding list back
On 13 April 2016 at 21:27, Lance Ball <lball(a)redhat.com> wrote:
Some comments inline...
On Wed, Apr 13, 2016 at 12:36 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
>
> On 12 April 2016 at 19:25, Lance Ball <lball(a)redhat.com> wrote:
>
>>
>> 1) There is a security flaw in some 3rd party dependency of the adapter,
>> discovered the day of a Keycloak core release. This renders the
"latest"
>> version of an adapter useless until a new Keycloak server is released. I
>> understand that the release cadence is anticipated to be approximately
>> every 6 weeks (which is laudable), but still that's > 1 month that users
>> have to wait for a security fix.
>>
>
> Non-issue as we will push out a release for a critical security fix as
> soon as possible. Having a single release makes it actually easier to do.
>
I'll take your word for it, but I honestly don't see how pushing a new
release of _everything_ can possibly be easier than, for example `npm
publish` for a single artifact.
Releasing everything is going to be a "single" button click. Having the
ability to release micro releases of adapters may be something to consider
in the future if it does indeed become a problem.
>
>
>> 2) There is no change in the adapter between releases of Keycloak
>> server. In this case, it's not necessarily a problem to release a new
>> adapter version, but it seems noisy and pointless if the bits are exactly
>> the same.
>>
>
> The plan is to have release notes that cover which adapters have changed
> and which are required to upgrade (either because backwards compatibility
> is broken with the server or due to a security fix)
>
But how is "Keycloak 2.7.0 works with foo-adapter 1.9.1 and greater" any
better than "foo-adapter 1.9.1 works with Keycloak 1.9.1 and greater"? The
first scenario is what will happen if adapters march in lockstep with
Keycloak server, and the second is what will happen if they are released
only when necessary. In either case, it is possible to be running different
version numbers for foo-adapter and Keycloak server and still be functional.
Being able to grab same version of everything is nice. Being able to not
have to upgrade everything is nice.
Having to figure out what version belongs to what as a first time adapter
or when adding a new adapter is not so nice.
Having to figure out what the version is going to be for each individual
bit when we are doing a collective release is not so nice. Having different
release cycles, etc, etc.. is not so nice. We are a small team with a large
amount of work so we can afford to do this as it's additional time spent
doing releases, which we will be doing every 6 weeks!! so we want to reduce
the pain of doing a release as much as possible.
>
>
>> When we look at version numbers, they are typically MAJOR.MINOR.PATCH
>> with possibly a pre-release suffix like -Alpha1. I would like to discuss
>> the possibility for adapters to issue patch level releases independent of a
>> server release. This would allow for MAJOR.MINOR versions to remain
>> consistent so to communicate compatibility with a given Keycloak server
>> version. But would provide flexibility for adapters to deal with both
>> issues noted above.
>>
>
>> And just for the sake of argument, let's look at a hypothetical
>> situation where Keycloak is baptized a Product, and the release cadence
>> slows down significantly to every 12-18 months. What if a major security
>> flaw is discovered in an adapter? Should this trigger a new release of
>> Keycloak server itself? Would it not be better to allow the adapter to
>> issue a patch level release instead?
>>
>
> It won't and Keycloak is already becoming a product. Release cadence is 6
> weeks in community.
>
To be clear, by "hypothetical situation", I didn't mean that Keycloak
becoming a product was hypothetical. :) I'm saying that product releases
are much slower, typically, than community releases. Will adapters be
prevented from publishing an independent security fix in this scenario,
where the product release cadence has slowed down? If not, we're going to
hit version mismatches then anyway.
Product is different as here you actually have patches that are sent out to
customers. It would not be released as a release until the next micro of
the product as a whole. At least that's my understanding.
Lance
3:15 p.m.
New subject: Adapter Versioning
Stian
Thanks for being so patient with my pushback. :)
On Thu, Apr 14, 2016 at 12:53 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Adding list back
On 13 April 2016 at 21:27, Lance Ball <lball(a)redhat.com> wrote:
>
>
> I'll take your word for it, but I honestly don't see how pushing a new
> release of _everything_ can possibly be easier than, for example `npm
> publish` for a single artifact.
>
Releasing everything is going to be a "single" button click. Having the
ability to release micro releases of adapters may be something to consider
in the future if it does indeed become a problem.
Obviously, I agree that micro releases would be good - but I understand
your position. All of this is hypothetical at this point anyway, since the
node adapter bits I care most about are not yet full citizens and we have a
little time to get all of our ducks in a row.
2) There is no change in the adapter between releases of Keycloak server.
>>> In this case, it's not necessarily a problem to
release a new adapter
>>> version, but it seems noisy and pointless if the bits are exactly the same.
>>>
>>
>> The plan is to have release notes that cover which adapters have changed
>> and which are required to upgrade (either because backwards compatibility
>> is broken with the server or due to a security fix)
>>
>
> But how is "Keycloak 2.7.0 works with foo-adapter 1.9.1 and greater" any
> better than "foo-adapter 1.9.1 works with Keycloak 1.9.1 and greater"? The
> first scenario is what will happen if adapters march in lockstep with
> Keycloak server, and the second is what will happen if they are released
> only when necessary. In either case, it is possible to be running different
> version numbers for foo-adapter and Keycloak server and still be functional.
>
Being able to grab same version of everything is nice. Being able to not
have to upgrade everything is nice.
Having to figure out what version belongs to what as a first time adapter
or when adding a new adapter is not so nice.
Having to figure out what the version is going to be for each individual
bit when we are doing a collective release is not so nice. Having different
release cycles, etc, etc.. is not so nice. We are a small team with a large
amount of work so we can afford to do this as it's additional time spent
doing releases, which we will be doing every 6 weeks!! so we want to reduce
the pain of doing a release as much as possible.
Absolutely - I understand. We went through a lot of this soul searching
with WildFly Swarm recently, and ended up allowing for separate versioning
between "core" and "non-core" pieces of the project. There's not a
lot of
data to go on yet, so we'll see how that turns out. But in this case,
wouldn't the most recent Keycloak server always just use the latest version
of a given adapter for any new release?
Lance
4 p.m.
New subject: Adapter Versioning
On 14 April 2016 at 15:15, Lance Ball <lball(a)redhat.com> wrote:
Stian
Thanks for being so patient with my pushback. :)
On Thu, Apr 14, 2016 at 12:53 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Adding list back
>
> On 13 April 2016 at 21:27, Lance Ball <lball(a)redhat.com> wrote:
>>
>>
>> I'll take your word for it, but I honestly don't see how pushing a new
>> release of _everything_ can possibly be easier than, for example `npm
>> publish` for a single artifact.
>>
>
> Releasing everything is going to be a "single" button click. Having the
> ability to release micro releases of adapters may be something to consider
> in the future if it does indeed become a problem.
>
Obviously, I agree that micro releases would be good - but I understand
your position. All of this is hypothetical at this point anyway, since the
node adapter bits I care most about are not yet full citizens and we have a
little time to get all of our ducks in a row.
Now that we have someone on the team with NodeJS experience and you guys we
hope to make it a full citizen in 2.x, so only a few months from now :)
2) There is no change in the adapter between releases of Keycloak server.
>>>> In this case, it's not necessarily a problem to release a new
adapter
>>>> version, but it seems noisy and pointless if the bits are exactly the
same.
>>>>
>>>
>>> The plan is to have release notes that cover which adapters have
>>> changed and which are required to upgrade (either because backwards
>>> compatibility is broken with the server or due to a security fix)
>>>
>>
>> But how is "Keycloak 2.7.0 works with foo-adapter 1.9.1 and greater"
any
>> better than "foo-adapter 1.9.1 works with Keycloak 1.9.1 and greater"?
The
>> first scenario is what will happen if adapters march in lockstep with
>> Keycloak server, and the second is what will happen if they are released
>> only when necessary. In either case, it is possible to be running different
>> version numbers for foo-adapter and Keycloak server and still be functional.
>>
>
> Being able to grab same version of everything is nice. Being able to not
> have to upgrade everything is nice.
>
> Having to figure out what version belongs to what as a first time adapter
> or when adding a new adapter is not so nice.
>
> Having to figure out what the version is going to be for each individual
> bit when we are doing a collective release is not so nice. Having different
> release cycles, etc, etc.. is not so nice. We are a small team with a large
> amount of work so we can afford to do this as it's additional time spent
> doing releases, which we will be doing every 6 weeks!! so we want to reduce
> the pain of doing a release as much as possible.
>
Absolutely - I understand. We went through a lot of this soul searching
with WildFly Swarm recently, and ended up allowing for separate versioning
between "core" and "non-core" pieces of the project. There's not
a lot of
data to go on yet, so we'll see how that turns out. But in this case,
wouldn't the most recent Keycloak server always just use the latest version
of a given adapter for any new release?
Not sure what you suggesting, but someone (me) has to click the button to
release everything. That someone needs to know what version everything
should be released as. If everything is released as one version and I can
feed that version into my Jenkins job that releases everything it's much
simpler.
Lance
2933
days inactive
2933
days old
2 comments
2 participants
participants (2)
-
Lance Ball -
Stian Thorgersen