From general-return-70383-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org Mon Aug 5 15:29:50 2019 Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with SMTP id 241D01962B for ; Mon, 5 Aug 2019 15:29:50 +0000 (UTC) Received: (qmail 91590 invoked by uid 500); 5 Aug 2019 15:29:46 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 91309 invoked by uid 500); 5 Aug 2019 15:29:46 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 91290 invoked by uid 99); 5 Aug 2019 15:29:44 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Aug 2019 15:29:44 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 45D3DC0D37 for ; Mon, 5 Aug 2019 15:29:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.752 X-Spam-Level: X-Spam-Status: No, score=0.752 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, KAM_INFOUSMEBIZ=0.75, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gnsa-us.20150623.gappssmtp.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id PNZedjx_9NeG for ; Mon, 5 Aug 2019 15:29:40 +0000 (UTC) Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::943; helo=mail-ua1-x943.google.com; envelope-from=david@gnsa.us; receiver= Received: from mail-ua1-x943.google.com (mail-ua1-x943.google.com [IPv6:2607:f8b0:4864:20::943]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 136AF7DC5E for ; Mon, 5 Aug 2019 15:29:39 +0000 (UTC) Received: by mail-ua1-x943.google.com with SMTP id 34so32432422uar.8 for ; Mon, 05 Aug 2019 08:29:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gnsa-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=2x8IEY5fGYgtRyXQpaFloVPMG7GPxq6z9lb+DMu0NEs=; b=vON6hxeqct7TPNCyWEzWt/jQ47Um5gX6p+H8LNpQCtjc8mChRPTZ6qpfuSWfgvT3Wr p/+z+sSDgcLqWkhQ14oDqhXkbPZzuQ/H6P+GirPnrr4bmk+u930Yo3Dbu7SNpaUJWqz6 pMaSxJoNgCYo2EhVvOHnvvEbiVg7OuBHQXd+PmF5zJjaPiq/96FAtY8xa4WkEnOEwZUy BB7JyMmLM9n2Ur1i5DBEJyVN3+BF3szd2iGgt3XOR6t1MGEbTPyqfaWQtTXY8tkIyfcQ yWiPj4u1x8zV8b8YjJ/6NPoyuuSBo2BCNldmFWfsB/VRYJiQ8Q9ZUuwx5jOk6F0n/H+g pvYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=2x8IEY5fGYgtRyXQpaFloVPMG7GPxq6z9lb+DMu0NEs=; b=mVI5RHeEyOOFjKXR5Mp+tr+AFykg59n1KxRVjnoC6i+qjxhQ/C2DoiJ9Vh4RQMayCp nyRJTBegJwDpI9+aIutMvrHHonhew93zvZWeipCc5dYXMe5e2JxChUpe5dFmbzO+f22d 1elMRcYGmqqve/+eJlhGmlQS3d7cLtFwfygbnn/UAUm77pAGJ6DddX2XViwSCC/CzmKv U7uGLtYesPc+qGxdPQVl84lOGYCa2UmgqE015Vl2DO3B+pmTxjNyI8XmkuvDZqCiIcyU mCbInW04AQ5m9j1NVKA2F9J6wNL/nK/RLNnPcz1Lbtyr1Zt5X26F5aLE5kAc8WJIsTap GYeg== X-Gm-Message-State: APjAAAVJIZBWwMy/vZZQ68wh8ckeByz50uMtSCn/iGyYvfSttMX6DloH QksFKdV6CucUIgCOYXwU65frHqS8txQpP3rbA6vRtw== X-Google-Smtp-Source: APXvYqxCeYgDrBoww/DvcqtM/fKog2CXPK0ObppycQOrfwSP/21F76Hp0w6GqJ+BEkvpqmQR4WKdp147K0jEUMEFRmI= X-Received: by 2002:a9f:31a2:: with SMTP id v31mr11767309uad.15.1565018972649; Mon, 05 Aug 2019 08:29:32 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: David Nalley Date: Mon, 5 Aug 2019 11:29:21 -0400 Message-ID: Subject: Re: Publising Wrong Distribution To: general@incubator.apache.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Aug 5, 2019 at 6:52 AM Furkan KAMACI wrote= : > > Hi All, > > One of the projects that I am mentoring has a situation needs to be > resolved. I've copied the case below. What do you think about it: > > "I want to resolve this soon. > > Again the issue is this: > > I pushed a bad package.json (with =E2=80=98files=E2=80=99 field) file to = our v2.0.1 RC1. > This escaped testing prior to VOTE for v2.0.1 because I was only testing > with 'npm install' from repo (takes files direct from repo) rather than > =E2=80=99npm pack=E2=80=99 + =E2=80=99npm install=E2=80=99 (packages tarb= all as though it were pushed to > npm registry, then installs from tarball). After the VOTE passed, I > followed up on release procedures, and published v2.0.1 RC1 to npm as > flagon-userale v2.0.1. The resulting npm package in the registry did not > include critical artifacts and scripts (I tested again immediately after > publishing). > > There was no choice but to unpublish v2.0.1 from the npm registry. =E2=80= =98latest=E2=80=99 > is v2.0.0. > > The issue at hand is that we cannot now republish to npm a version > 2.0.1=E2=80=94the registry is immutable. We have to publish a package wit= h a > different version number. > > My question was whether there were any issues in bumping Apache Flagon > v2.0.1 to v2.0.2, release through Apache and push to npm as v2.0.2 to > synchronize semantic versioning between Apache dist/releases and npm.js. = Or > whether this requires a new release VOTE. > > The alternatives are: > > 1. Proceed with release of v2.0.1 (adding fixes to package.json), then wa= it > until next version 2.0.2 to publish to npm=E2=80=94I don=E2=80=99t like t= his because 2.0.1 > is a security-related patch, which fixes over 200 low-depth dependency > vulnerabilities. v2.0.2 should be ready in a week or two, still we lose > consumer confidence everyday we don=E2=80=99t address these vulnerabiliti= es. > > 2. Release an unofficial v2.0.2 on npm then synchronize Apache and npm > releases at v2.0.3=E2=80=94I don=E2=80=99t like this at all. > > I am looking for any thoughts on the cleanest way to do this and generall= y > what best practice is from an Apache voting perspective. > > I have corrected the flaw in the current 2.0.1, and tested using npm pack= . > This has been pushed to a new RC branch: > https://github.com/apache/incubator-flagon-useralejs/tree/v2.0.1-RC2" > > Kind Regards, > Furkan KAMACI npm and dist.a.o have the same problem - they are essentially immutable. And there are good reasons for that, but that's beyond the scope. Consider 2.0.1 a failed release, and start voting on a fixed 2.0.2 that is what 2.0.1 should have been and ship it. Voting should be much faster this time around - and you get the bonus of another thing that becomes obvious to check for. --David --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org