Contributors mailing list archives
Re: Procedure to create 16.0 branchesby "Aarón Henríquez Quintana" <email@example.com> - 21/07/2022 11:09:56
- You know clearly what is migrated, and all the history
- Easy to track what is being migrated
- The process is clean, and you get used to it very fast, barely 4 commands in git.
- I think it is safe also, it is a responsibility of the repo maintainer that approves the PR to look at the code and check everything is correct.
- It is way more complex for developers, it open a bunch of possibilities:
- If it was not in v15 at the time the 16.0 branch was created: in this case we will be doing the current procedure
- If it was, and there is no improvement, then we will do a "normal" migration with 1 single commit, that's ok
- if it was, but it was improved, we have to include those improvements as well, the diff is not reduced as well.
- Deleted modules will create greater diffs.
- If the module was deleted because no one wanted to use it, but later on someone decides to migrate it, the diff is going to be super huge.
- It is going to be harder to know what is migrated, and being migrated, and what is not necessary.
I like better the current method (having only working/tested/maintained modules in each branch) for the following reasons :
- I find it easier to see what is available un a given version, what would still need to be migrated, and also to get an idea of which versions are being actively used (though I guess I could look at READMEs, migration issues and overall statistics to get the same info)
- on each Odoo instance we deploy we download specific branch and having lots of unusable code would increase bandwidth and storage (although mostly text that could be compressed, so probably not dramatic neither)
I agree that the process to migrate a module from one version to another is not really easy (at least the first times), but I understand that it would still probably need to be done in order to make sure you get the latest commits from previous branch. I am afraid that this would often be forgotten if not strictly necessary in migration process, and for sure we do not want to transfer this extra burden of checking for each PR whether based on latest commits or not to reviewers / PSC.
Last, I am not in favour of having 2 different processes that can be applied per repo, since it would increase complexity for understanding why 2 repos are not behaving the same, and we may lose newcomers (but also for people not so much involved in OCA) - although here again I understand from discussions this is already the case for some repos.
My 2 cents...
SCOP Le FilamentLe July 21, 2022 3:52:02 AM UTC, "Raphaël Valyi" <firstname.lastname@example.org> a écrit :Hello,My vote goes to the opt-in option at least unless Pedro get convinced, because going against the will of somebody processing such a large portion of the PRs would be a terrible shot in the feet.That being said, earlier Pedro raised the concern about the possibility to craft an attack commit inside a missing commit that would be cherry-picked just like with the current way of migrating. But:On Wed, Jul 20, 2022, 3:42 PM Roussel, Denis <email@example.com> wrote:To summarize:
- commits SHA are different with current behaviour
- commits SHA are equal with proposed oneDenis could you confirm this SHA conservation could make us safe against such crafted attack commits in the middle of the missing commits that one would need to cherry-pick with the new procedure?This crafted commit attack thing is indeed extremely concerning...