You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Alexey Kuznetsov <ak...@apache.org> on 2017/08/16 09:38:27 UTC
Policy for update third-party dependencies
Hi, All!
Do we have any policy for updating third-party dependencies?
For example, I found that we are using very old Apache Common codec v.1.6
(released in 2011)
And latest is Apache Common codec v.1.10
Do we need to update to new versions from time to time?
And how?
Just create JIRA issue, update pom.xml and run all tests on TC - will be
enough?
--
Alexey Kuznetsov
Re: Policy for update third-party dependencies
Posted by Alexey Kuznetsov <ak...@apache.org>.
Denis,
> I would respond why do we need to update? Some bug, new capabilities,
> security breach? Alexey K., please shed some light on this.
There is no special purpose, I just accidentally found that we are using
very old dependency.
It is common practice (especially in web development (as example)) update
dependencies from time to time.
I think if users will use in their projects commons-codec + ignite it may
lead to jar conflicts at some point (user will use latest common-codecs and
in ignite we use old one).
Make sense?
On Thu, Aug 17, 2017 at 7:29 AM, Dmitriy Setrakyan <ds...@apache.org>
wrote:
> On Wed, Aug 16, 2017 at 5:26 PM, Denis Magda <dm...@apache.org> wrote:
>
> > I would respond why do we need to update? Some bug, new capabilities,
> > security breach? Alexey K., please shed some light on this.
> >
>
> Actually, now that I think of it, why do we even have that dependency? But
> if you do, and upgrading does not introduce any bugs, I would upgrade, so
> we do not create version conflicts on user side.
>
>
> >
> > —
> > Denis
> >
> > > On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <ds...@apache.org>
> > wrote:
> > >
> > > On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org>
> wrote:
> > >
> > >> Honestly, I wouldn’t touch a dependency if it works like a charm and
> > >> nobody requested us to migrate to a new version.
> > >>
> > >> Why do you need to update Apache Common coded?
> > >>
> > >
> > > Not sure I agree. Why not update it?
> > >
> > >
> > >>
> > >>
> > >> —
> > >> Denis
> > >>
> > >>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <
> akuznetsov@apache.org>
> > >> wrote:
> > >>>
> > >>> Done
> > >>>
> > >>> https://issues.apache.org/jira/browse/IGNITE-6090
> > >>>
> > >>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
> > >> dsetrakyan@apache.org>
> > >>> wrote:
> > >>>
> > >>>> The answer is Yes, we should update. Jira ticket assigned to the
> next
> > >>>> release should be enough in my view.
> > >>>>
> > >>>> D.
> > >>>>
> > >>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
> > >> akuznetsov@apache.org>
> > >>>> wrote:
> > >>>>
> > >>>>> Hi, All!
> > >>>>>
> > >>>>> Do we have any policy for updating third-party dependencies?
> > >>>>>
> > >>>>> For example, I found that we are using very old Apache Common
> codec
> > >>>> v.1.6
> > >>>>> (released in 2011)
> > >>>>> And latest is Apache Common codec v.1.10
> > >>>>>
> > >>>>> Do we need to update to new versions from time to time?
> > >>>>> And how?
> > >>>>>
> > >>>>> Just create JIRA issue, update pom.xml and run all tests on TC -
> will
> > >> be
> > >>>>> enough?
> > >>>>>
> > >>>>> --
> > >>>>> Alexey Kuznetsov
> > >>>>>
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Alexey Kuznetsov
> > >>
> > >>
> >
> >
>
--
Alexey Kuznetsov
Re: Policy for update third-party dependencies
Posted by Dmitriy Setrakyan <ds...@apache.org>.
On Wed, Aug 16, 2017 at 5:26 PM, Denis Magda <dm...@apache.org> wrote:
> I would respond why do we need to update? Some bug, new capabilities,
> security breach? Alexey K., please shed some light on this.
>
Actually, now that I think of it, why do we even have that dependency? But
if you do, and upgrading does not introduce any bugs, I would upgrade, so
we do not create version conflicts on user side.
>
> —
> Denis
>
> > On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
> >
> > On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org> wrote:
> >
> >> Honestly, I wouldn’t touch a dependency if it works like a charm and
> >> nobody requested us to migrate to a new version.
> >>
> >> Why do you need to update Apache Common coded?
> >>
> >
> > Not sure I agree. Why not update it?
> >
> >
> >>
> >>
> >> —
> >> Denis
> >>
> >>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <ak...@apache.org>
> >> wrote:
> >>>
> >>> Done
> >>>
> >>> https://issues.apache.org/jira/browse/IGNITE-6090
> >>>
> >>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
> >> dsetrakyan@apache.org>
> >>> wrote:
> >>>
> >>>> The answer is Yes, we should update. Jira ticket assigned to the next
> >>>> release should be enough in my view.
> >>>>
> >>>> D.
> >>>>
> >>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
> >> akuznetsov@apache.org>
> >>>> wrote:
> >>>>
> >>>>> Hi, All!
> >>>>>
> >>>>> Do we have any policy for updating third-party dependencies?
> >>>>>
> >>>>> For example, I found that we are using very old Apache Common codec
> >>>> v.1.6
> >>>>> (released in 2011)
> >>>>> And latest is Apache Common codec v.1.10
> >>>>>
> >>>>> Do we need to update to new versions from time to time?
> >>>>> And how?
> >>>>>
> >>>>> Just create JIRA issue, update pom.xml and run all tests on TC - will
> >> be
> >>>>> enough?
> >>>>>
> >>>>> --
> >>>>> Alexey Kuznetsov
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Alexey Kuznetsov
> >>
> >>
>
>
Re: Policy for update third-party dependencies
Posted by Nick Pordash <ni...@gmail.com>.
Hi Val,
Pretty much, with obvious exceptions being integration modules with other
projects. If the dependency is well isolated, then shading could be
beneficial.
I've also had to do this for client libraries operating inside other
frameworks (I've had to shade netty to avoid conflicting with user code).
It's a good alternative since relying on things like OSGi isn't all that
practical due to lack of widespread adoption.
-Nick
On Mon, Aug 21, 2017, 10:48 AM Valentin Kulichenko <
valentin.kulichenko@gmail.com> wrote:
> Hi Nick,
>
> Do you suggest to build and deploy uber-jars that has no external
> dependencies?
>
> -Val
>
> On Sun, Aug 20, 2017 at 1:02 PM, Nick Pordash <ni...@gmail.com>
> wrote:
>
> > If the dependency is not exposed by the public API then another
> alternative
> > is to simply shade the artifact and then this becomes a non-issue for
> > users.
> >
> > Considering Ignite is a platform that executes user code via compute and
> > service grid I personally think it would be good to minimize the number
> of
> > dependencies that can potentially conflict with user code.
> >
> > -Nick
> >
> > On Sun, Aug 20, 2017, 11:51 AM Valentin Kulichenko <
> > valentin.kulichenko@gmail.com> wrote:
> >
> > > Guys,
> > >
> > > Keep in mind that some projects can use *older* version of third-party
> > > libraries as well, and dependency upgrade can break them. In other
> words,
> > > dependency upgrade is in many cases an incompatible change for us, so
> we
> > > should do this with care.
> > >
> > > Unless there is a specific reason to upgrade a specific dependency, I
> > think
> > > it's better to postpone it until major version.
> > >
> > > -Val
> > >
> > > On Sun, Aug 20, 2017 at 5:04 AM 李玉珏@163 <18...@163.com> wrote:
> > >
> > > > If the third party library is incompatible with the new version and
> the
> > > > old version (such as lucene3.5.0-5.5.2), and the dependent version of
> > > > Ignite is older, it may cause conflicts in the user's system.
> > > > For such scenarios, I think that updating third-party dependencies's
> > > > major version is valuable.
> > > >
> > > >
> > > > 在 2017/8/17 上午8:26, Denis Magda 写道:
> > > > > I would respond why do we need to update? Some bug, new
> capabilities,
> > > > security breach? Alexey K., please shed some light on this.
> > > > >
> > > > > —
> > > > > Denis
> > > > >
> > > > >> On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <
> > dsetrakyan@apache.org
> > > >
> > > > wrote:
> > > > >>
> > > > >> On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org>
> > > wrote:
> > > > >>
> > > > >>> Honestly, I wouldn’t touch a dependency if it works like a charm
> > and
> > > > >>> nobody requested us to migrate to a new version.
> > > > >>>
> > > > >>> Why do you need to update Apache Common coded?
> > > > >>>
> > > > >> Not sure I agree. Why not update it?
> > > > >>
> > > > >>
> > > > >>>
> > > > >>> —
> > > > >>> Denis
> > > > >>>
> > > > >>>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <
> > > akuznetsov@apache.org
> > > > >
> > > > >>> wrote:
> > > > >>>> Done
> > > > >>>>
> > > > >>>> https://issues.apache.org/jira/browse/IGNITE-6090
> > > > >>>>
> > > > >>>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
> > > > >>> dsetrakyan@apache.org>
> > > > >>>> wrote:
> > > > >>>>
> > > > >>>>> The answer is Yes, we should update. Jira ticket assigned to
> the
> > > next
> > > > >>>>> release should be enough in my view.
> > > > >>>>>
> > > > >>>>> D.
> > > > >>>>>
> > > > >>>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
> > > > >>> akuznetsov@apache.org>
> > > > >>>>> wrote:
> > > > >>>>>
> > > > >>>>>> Hi, All!
> > > > >>>>>>
> > > > >>>>>> Do we have any policy for updating third-party dependencies?
> > > > >>>>>>
> > > > >>>>>> For example, I found that we are using very old Apache Common
> > > codec
> > > > >>>>> v.1.6
> > > > >>>>>> (released in 2011)
> > > > >>>>>> And latest is Apache Common codec v.1.10
> > > > >>>>>>
> > > > >>>>>> Do we need to update to new versions from time to time?
> > > > >>>>>> And how?
> > > > >>>>>>
> > > > >>>>>> Just create JIRA issue, update pom.xml and run all tests on
> TC -
> > > > will
> > > > >>> be
> > > > >>>>>> enough?
> > > > >>>>>>
> > > > >>>>>> --
> > > > >>>>>> Alexey Kuznetsov
> > > > >>>>>>
> > > > >>>>
> > > > >>>>
> > > > >>>> --
> > > > >>>> Alexey Kuznetsov
> > > > >>>
> > > >
> > > >
> > > >
> > >
> >
>
Re: Policy for update third-party dependencies
Posted by Valentin Kulichenko <va...@gmail.com>.
Hi Nick,
Do you suggest to build and deploy uber-jars that has no external
dependencies?
-Val
On Sun, Aug 20, 2017 at 1:02 PM, Nick Pordash <ni...@gmail.com> wrote:
> If the dependency is not exposed by the public API then another alternative
> is to simply shade the artifact and then this becomes a non-issue for
> users.
>
> Considering Ignite is a platform that executes user code via compute and
> service grid I personally think it would be good to minimize the number of
> dependencies that can potentially conflict with user code.
>
> -Nick
>
> On Sun, Aug 20, 2017, 11:51 AM Valentin Kulichenko <
> valentin.kulichenko@gmail.com> wrote:
>
> > Guys,
> >
> > Keep in mind that some projects can use *older* version of third-party
> > libraries as well, and dependency upgrade can break them. In other words,
> > dependency upgrade is in many cases an incompatible change for us, so we
> > should do this with care.
> >
> > Unless there is a specific reason to upgrade a specific dependency, I
> think
> > it's better to postpone it until major version.
> >
> > -Val
> >
> > On Sun, Aug 20, 2017 at 5:04 AM 李玉珏@163 <18...@163.com> wrote:
> >
> > > If the third party library is incompatible with the new version and the
> > > old version (such as lucene3.5.0-5.5.2), and the dependent version of
> > > Ignite is older, it may cause conflicts in the user's system.
> > > For such scenarios, I think that updating third-party dependencies's
> > > major version is valuable.
> > >
> > >
> > > 在 2017/8/17 上午8:26, Denis Magda 写道:
> > > > I would respond why do we need to update? Some bug, new capabilities,
> > > security breach? Alexey K., please shed some light on this.
> > > >
> > > > —
> > > > Denis
> > > >
> > > >> On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <
> dsetrakyan@apache.org
> > >
> > > wrote:
> > > >>
> > > >> On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org>
> > wrote:
> > > >>
> > > >>> Honestly, I wouldn’t touch a dependency if it works like a charm
> and
> > > >>> nobody requested us to migrate to a new version.
> > > >>>
> > > >>> Why do you need to update Apache Common coded?
> > > >>>
> > > >> Not sure I agree. Why not update it?
> > > >>
> > > >>
> > > >>>
> > > >>> —
> > > >>> Denis
> > > >>>
> > > >>>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <
> > akuznetsov@apache.org
> > > >
> > > >>> wrote:
> > > >>>> Done
> > > >>>>
> > > >>>> https://issues.apache.org/jira/browse/IGNITE-6090
> > > >>>>
> > > >>>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
> > > >>> dsetrakyan@apache.org>
> > > >>>> wrote:
> > > >>>>
> > > >>>>> The answer is Yes, we should update. Jira ticket assigned to the
> > next
> > > >>>>> release should be enough in my view.
> > > >>>>>
> > > >>>>> D.
> > > >>>>>
> > > >>>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
> > > >>> akuznetsov@apache.org>
> > > >>>>> wrote:
> > > >>>>>
> > > >>>>>> Hi, All!
> > > >>>>>>
> > > >>>>>> Do we have any policy for updating third-party dependencies?
> > > >>>>>>
> > > >>>>>> For example, I found that we are using very old Apache Common
> > codec
> > > >>>>> v.1.6
> > > >>>>>> (released in 2011)
> > > >>>>>> And latest is Apache Common codec v.1.10
> > > >>>>>>
> > > >>>>>> Do we need to update to new versions from time to time?
> > > >>>>>> And how?
> > > >>>>>>
> > > >>>>>> Just create JIRA issue, update pom.xml and run all tests on TC -
> > > will
> > > >>> be
> > > >>>>>> enough?
> > > >>>>>>
> > > >>>>>> --
> > > >>>>>> Alexey Kuznetsov
> > > >>>>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Alexey Kuznetsov
> > > >>>
> > >
> > >
> > >
> >
>
Re: Policy for update third-party dependencies
Posted by Nick Pordash <ni...@gmail.com>.
If the dependency is not exposed by the public API then another alternative
is to simply shade the artifact and then this becomes a non-issue for
users.
Considering Ignite is a platform that executes user code via compute and
service grid I personally think it would be good to minimize the number of
dependencies that can potentially conflict with user code.
-Nick
On Sun, Aug 20, 2017, 11:51 AM Valentin Kulichenko <
valentin.kulichenko@gmail.com> wrote:
> Guys,
>
> Keep in mind that some projects can use *older* version of third-party
> libraries as well, and dependency upgrade can break them. In other words,
> dependency upgrade is in many cases an incompatible change for us, so we
> should do this with care.
>
> Unless there is a specific reason to upgrade a specific dependency, I think
> it's better to postpone it until major version.
>
> -Val
>
> On Sun, Aug 20, 2017 at 5:04 AM 李玉珏@163 <18...@163.com> wrote:
>
> > If the third party library is incompatible with the new version and the
> > old version (such as lucene3.5.0-5.5.2), and the dependent version of
> > Ignite is older, it may cause conflicts in the user's system.
> > For such scenarios, I think that updating third-party dependencies's
> > major version is valuable.
> >
> >
> > 在 2017/8/17 上午8:26, Denis Magda 写道:
> > > I would respond why do we need to update? Some bug, new capabilities,
> > security breach? Alexey K., please shed some light on this.
> > >
> > > —
> > > Denis
> > >
> > >> On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <dsetrakyan@apache.org
> >
> > wrote:
> > >>
> > >> On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org>
> wrote:
> > >>
> > >>> Honestly, I wouldn’t touch a dependency if it works like a charm and
> > >>> nobody requested us to migrate to a new version.
> > >>>
> > >>> Why do you need to update Apache Common coded?
> > >>>
> > >> Not sure I agree. Why not update it?
> > >>
> > >>
> > >>>
> > >>> —
> > >>> Denis
> > >>>
> > >>>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <
> akuznetsov@apache.org
> > >
> > >>> wrote:
> > >>>> Done
> > >>>>
> > >>>> https://issues.apache.org/jira/browse/IGNITE-6090
> > >>>>
> > >>>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
> > >>> dsetrakyan@apache.org>
> > >>>> wrote:
> > >>>>
> > >>>>> The answer is Yes, we should update. Jira ticket assigned to the
> next
> > >>>>> release should be enough in my view.
> > >>>>>
> > >>>>> D.
> > >>>>>
> > >>>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
> > >>> akuznetsov@apache.org>
> > >>>>> wrote:
> > >>>>>
> > >>>>>> Hi, All!
> > >>>>>>
> > >>>>>> Do we have any policy for updating third-party dependencies?
> > >>>>>>
> > >>>>>> For example, I found that we are using very old Apache Common
> codec
> > >>>>> v.1.6
> > >>>>>> (released in 2011)
> > >>>>>> And latest is Apache Common codec v.1.10
> > >>>>>>
> > >>>>>> Do we need to update to new versions from time to time?
> > >>>>>> And how?
> > >>>>>>
> > >>>>>> Just create JIRA issue, update pom.xml and run all tests on TC -
> > will
> > >>> be
> > >>>>>> enough?
> > >>>>>>
> > >>>>>> --
> > >>>>>> Alexey Kuznetsov
> > >>>>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> Alexey Kuznetsov
> > >>>
> >
> >
> >
>
Re: Policy for update third-party dependencies
Posted by Valentin Kulichenko <va...@gmail.com>.
Guys,
Keep in mind that some projects can use *older* version of third-party
libraries as well, and dependency upgrade can break them. In other words,
dependency upgrade is in many cases an incompatible change for us, so we
should do this with care.
Unless there is a specific reason to upgrade a specific dependency, I think
it's better to postpone it until major version.
-Val
On Sun, Aug 20, 2017 at 5:04 AM 李玉珏@163 <18...@163.com> wrote:
> If the third party library is incompatible with the new version and the
> old version (such as lucene3.5.0-5.5.2), and the dependent version of
> Ignite is older, it may cause conflicts in the user's system.
> For such scenarios, I think that updating third-party dependencies's
> major version is valuable.
>
>
> 在 2017/8/17 上午8:26, Denis Magda 写道:
> > I would respond why do we need to update? Some bug, new capabilities,
> security breach? Alexey K., please shed some light on this.
> >
> > —
> > Denis
> >
> >> On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
> >>
> >> On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org> wrote:
> >>
> >>> Honestly, I wouldn’t touch a dependency if it works like a charm and
> >>> nobody requested us to migrate to a new version.
> >>>
> >>> Why do you need to update Apache Common coded?
> >>>
> >> Not sure I agree. Why not update it?
> >>
> >>
> >>>
> >>> —
> >>> Denis
> >>>
> >>>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <akuznetsov@apache.org
> >
> >>> wrote:
> >>>> Done
> >>>>
> >>>> https://issues.apache.org/jira/browse/IGNITE-6090
> >>>>
> >>>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
> >>> dsetrakyan@apache.org>
> >>>> wrote:
> >>>>
> >>>>> The answer is Yes, we should update. Jira ticket assigned to the next
> >>>>> release should be enough in my view.
> >>>>>
> >>>>> D.
> >>>>>
> >>>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
> >>> akuznetsov@apache.org>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi, All!
> >>>>>>
> >>>>>> Do we have any policy for updating third-party dependencies?
> >>>>>>
> >>>>>> For example, I found that we are using very old Apache Common codec
> >>>>> v.1.6
> >>>>>> (released in 2011)
> >>>>>> And latest is Apache Common codec v.1.10
> >>>>>>
> >>>>>> Do we need to update to new versions from time to time?
> >>>>>> And how?
> >>>>>>
> >>>>>> Just create JIRA issue, update pom.xml and run all tests on TC -
> will
> >>> be
> >>>>>> enough?
> >>>>>>
> >>>>>> --
> >>>>>> Alexey Kuznetsov
> >>>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Alexey Kuznetsov
> >>>
>
>
>
Re: Policy for update third-party dependencies
Posted by 李玉...@163,
18...@163.com.
If the third party library is incompatible with the new version and the
old version (such as lucene3.5.0-5.5.2), and the dependent version of
Ignite is older, it may cause conflicts in the user's system.
For such scenarios, I think that updating third-party dependencies's
major version is valuable.
在 2017/8/17 上午8:26, Denis Magda 写道:
> I would respond why do we need to update? Some bug, new capabilities, security breach? Alexey K., please shed some light on this.
>
> —
> Denis
>
>> On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <ds...@apache.org> wrote:
>>
>> On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org> wrote:
>>
>>> Honestly, I wouldn’t touch a dependency if it works like a charm and
>>> nobody requested us to migrate to a new version.
>>>
>>> Why do you need to update Apache Common coded?
>>>
>> Not sure I agree. Why not update it?
>>
>>
>>>
>>> —
>>> Denis
>>>
>>>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <ak...@apache.org>
>>> wrote:
>>>> Done
>>>>
>>>> https://issues.apache.org/jira/browse/IGNITE-6090
>>>>
>>>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
>>> dsetrakyan@apache.org>
>>>> wrote:
>>>>
>>>>> The answer is Yes, we should update. Jira ticket assigned to the next
>>>>> release should be enough in my view.
>>>>>
>>>>> D.
>>>>>
>>>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
>>> akuznetsov@apache.org>
>>>>> wrote:
>>>>>
>>>>>> Hi, All!
>>>>>>
>>>>>> Do we have any policy for updating third-party dependencies?
>>>>>>
>>>>>> For example, I found that we are using very old Apache Common codec
>>>>> v.1.6
>>>>>> (released in 2011)
>>>>>> And latest is Apache Common codec v.1.10
>>>>>>
>>>>>> Do we need to update to new versions from time to time?
>>>>>> And how?
>>>>>>
>>>>>> Just create JIRA issue, update pom.xml and run all tests on TC - will
>>> be
>>>>>> enough?
>>>>>>
>>>>>> --
>>>>>> Alexey Kuznetsov
>>>>>>
>>>>
>>>>
>>>> --
>>>> Alexey Kuznetsov
>>>
Re: Policy for update third-party dependencies
Posted by Denis Magda <dm...@apache.org>.
I would respond why do we need to update? Some bug, new capabilities, security breach? Alexey K., please shed some light on this.
—
Denis
> On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <ds...@apache.org> wrote:
>
> On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org> wrote:
>
>> Honestly, I wouldn’t touch a dependency if it works like a charm and
>> nobody requested us to migrate to a new version.
>>
>> Why do you need to update Apache Common coded?
>>
>
> Not sure I agree. Why not update it?
>
>
>>
>>
>> —
>> Denis
>>
>>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <ak...@apache.org>
>> wrote:
>>>
>>> Done
>>>
>>> https://issues.apache.org/jira/browse/IGNITE-6090
>>>
>>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
>> dsetrakyan@apache.org>
>>> wrote:
>>>
>>>> The answer is Yes, we should update. Jira ticket assigned to the next
>>>> release should be enough in my view.
>>>>
>>>> D.
>>>>
>>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
>> akuznetsov@apache.org>
>>>> wrote:
>>>>
>>>>> Hi, All!
>>>>>
>>>>> Do we have any policy for updating third-party dependencies?
>>>>>
>>>>> For example, I found that we are using very old Apache Common codec
>>>> v.1.6
>>>>> (released in 2011)
>>>>> And latest is Apache Common codec v.1.10
>>>>>
>>>>> Do we need to update to new versions from time to time?
>>>>> And how?
>>>>>
>>>>> Just create JIRA issue, update pom.xml and run all tests on TC - will
>> be
>>>>> enough?
>>>>>
>>>>> --
>>>>> Alexey Kuznetsov
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Alexey Kuznetsov
>>
>>
Re: Policy for update third-party dependencies
Posted by Dmitriy Setrakyan <ds...@apache.org>.
On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dm...@apache.org> wrote:
> Honestly, I wouldn’t touch a dependency if it works like a charm and
> nobody requested us to migrate to a new version.
>
> Why do you need to update Apache Common coded?
>
Not sure I agree. Why not update it?
>
>
> —
> Denis
>
> > On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <ak...@apache.org>
> wrote:
> >
> > Done
> >
> > https://issues.apache.org/jira/browse/IGNITE-6090
> >
> > On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <
> dsetrakyan@apache.org>
> > wrote:
> >
> >> The answer is Yes, we should update. Jira ticket assigned to the next
> >> release should be enough in my view.
> >>
> >> D.
> >>
> >> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <
> akuznetsov@apache.org>
> >> wrote:
> >>
> >>> Hi, All!
> >>>
> >>> Do we have any policy for updating third-party dependencies?
> >>>
> >>> For example, I found that we are using very old Apache Common codec
> >> v.1.6
> >>> (released in 2011)
> >>> And latest is Apache Common codec v.1.10
> >>>
> >>> Do we need to update to new versions from time to time?
> >>> And how?
> >>>
> >>> Just create JIRA issue, update pom.xml and run all tests on TC - will
> be
> >>> enough?
> >>>
> >>> --
> >>> Alexey Kuznetsov
> >>>
> >>
> >
> >
> >
> > --
> > Alexey Kuznetsov
>
>
Re: Policy for update third-party dependencies
Posted by Denis Magda <dm...@apache.org>.
Honestly, I wouldn’t touch a dependency if it works like a charm and nobody requested us to migrate to a new version.
Why do you need to update Apache Common coded?
—
Denis
> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov <ak...@apache.org> wrote:
>
> Done
>
> https://issues.apache.org/jira/browse/IGNITE-6090
>
> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
>
>> The answer is Yes, we should update. Jira ticket assigned to the next
>> release should be enough in my view.
>>
>> D.
>>
>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <ak...@apache.org>
>> wrote:
>>
>>> Hi, All!
>>>
>>> Do we have any policy for updating third-party dependencies?
>>>
>>> For example, I found that we are using very old Apache Common codec
>> v.1.6
>>> (released in 2011)
>>> And latest is Apache Common codec v.1.10
>>>
>>> Do we need to update to new versions from time to time?
>>> And how?
>>>
>>> Just create JIRA issue, update pom.xml and run all tests on TC - will be
>>> enough?
>>>
>>> --
>>> Alexey Kuznetsov
>>>
>>
>
>
>
> --
> Alexey Kuznetsov
Re: Policy for update third-party dependencies
Posted by Alexey Kuznetsov <ak...@apache.org>.
Done
https://issues.apache.org/jira/browse/IGNITE-6090
On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan <ds...@apache.org>
wrote:
> The answer is Yes, we should update. Jira ticket assigned to the next
> release should be enough in my view.
>
> D.
>
> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <ak...@apache.org>
> wrote:
>
> > Hi, All!
> >
> > Do we have any policy for updating third-party dependencies?
> >
> > For example, I found that we are using very old Apache Common codec
> v.1.6
> > (released in 2011)
> > And latest is Apache Common codec v.1.10
> >
> > Do we need to update to new versions from time to time?
> > And how?
> >
> > Just create JIRA issue, update pom.xml and run all tests on TC - will be
> > enough?
> >
> > --
> > Alexey Kuznetsov
> >
>
--
Alexey Kuznetsov
Re: Policy for update third-party dependencies
Posted by Dmitriy Setrakyan <ds...@apache.org>.
The answer is Yes, we should update. Jira ticket assigned to the next
release should be enough in my view.
D.
On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov <ak...@apache.org>
wrote:
> Hi, All!
>
> Do we have any policy for updating third-party dependencies?
>
> For example, I found that we are using very old Apache Common codec v.1.6
> (released in 2011)
> And latest is Apache Common codec v.1.10
>
> Do we need to update to new versions from time to time?
> And how?
>
> Just create JIRA issue, update pom.xml and run all tests on TC - will be
> enough?
>
> --
> Alexey Kuznetsov
>