#21 Add information about our dependents
Merged 2 years ago by decathorpe. Opened 2 years ago by cipherboy.
cipherboy/stewardship-sig add-dogtag-collection  into  master

file modified
@@ -36,6 +36,13 @@ 

  All open pull requests against our packages can be viewed at



+ ### This repository


+ This repository is organized into several components:


+  1. `README.md` -- this document.

+  2. `scripts/` -- a collection of scripts for SIG operations

+  3. `dependents/` -- information shared by our dependent packages


  ## Packages we need or want to keep maintained "indefinitely"


file added
@@ -0,0 +1,12 @@ 

+ # Dependent Packages and Collections


+ This directory contains information about our dependent packages. For a

+ package collection, we should try to include the following information:


+   - Primary point of contact for the package

+   - List of packages the SIG owns that they depend on

+   - Any suggested testing instructions


+ It would be courteous to give a direct heads up about major package updates,

+ orphanings, or maintainership transfers to any of our downstream packages

+ who care, if possible.

@@ -0,0 +1,41 @@ 

+ # Dogtag PKI


+  - URL: http://dogtagpki.org

+  - GitHub: http://github.com/dogtagpki

+  - Main component: PKI

+  - Point of Contact: pki-devel@redhat.com


+ ## Overview


+ Dogtag provides the PKI component for FreeIPA, which has self-selected as

+ a key component in Fedora. Not breaking Dogtag (and thus FreeIPA) becomes

+ a requirement for Fedora releases. Dogtag started under Netscape, was

+ acquired by Mozilla, and is now part of Red Hat's offerings as Red Hat

+ Certificate System (RHCS). The core component is built on Tomcat and uses

+ RESTEasy for the API interface.


+ ## SIG Dependencies


+ The following packages are currently maintained by the SIG and are used

+ by Dogtag and its dependents:


+  - apache-commons-collections

+  - apache-commons-daemon

+  - apache-commons-lang

+  - glassfish-fastinfoset

+  - jakarta-commons-httpclient

+  - slf4j

+  - velocity

+  - xalan-j2

+  - xsom


+ ## Testing Procedure


+ PKI runs commit-triggered builds in their [COPR](pki-copr) against all

+ current Fedora builds and Rawhide. This might catch problems in build-time

+ dependencies. If you're particularly concerned about a package update or

+ rebase, feel free to contact the mailing list above and we'll be happy to

+ run a quick smoke test.


+ <!-- Links -->

+ [pki-copr]: https://copr.fedorainfracloud.org/coprs/g/pki/master/

As proposed with conversation with @decathorpe via email.

This begins to add information about packages (and collections of packages) which depend on packages the SIG maintains. I'm not suggesting we track every package or collection here, just ones which self-select into wanting heads-up about deprecations, maintainer changes, or major rebases. What's suggested here is purely optional and should be viewed as a courtesy and not a requirement.

As explained below, Dogtag is a dependency of FreeIPA, which views itself as being important for Fedora Server releases. From our point of view, it'd be nice to have a personal heads up about major changes so we don't have issues late in a Fedora release cycle again.

This list of packages will be changing as I'll be granting a portion of the dependencies I picked up to the SIG as a co-maintainer (glassfish-jaxb in particular).

If Dogtag cares, should Dogtag maintainers just take the 4 packages instead?

So, we're already maintaining:

  • ant + a few dependencies (ant-antunit comes to mind)
  • glassfish-jaxb + dependencies (shared with the SIG).
  • apache-commons-{daemon,lang}

We also maintain several of these packages in RHEL 8 as modular versions. I can try to compile a more complete list if you're interested.

We're interested in these packages existing but don't necessarily have the time to thoroughly maintain them. We have two options:

  • Reorphan all of these packages and maintain modularized versions to show our SLA level. This means that any usage beyond Dogtag is explicitly not supported. For anyone else depending on this stack, they'd have to maintain their own modularized or ursine versions (and continue duplicating work). For glassfish-jaxb and some of the other random packages, this makes sense. For ant, perhaps not.
  • Add these packages to the SIG, but keep us as primary maintainers. The SIG states in several places that packages owned/shared with the SIG have a lower SLA level; likely CVEs only. This keeps them as ursine packages and lets anyone use them. If they want to contribute to these packages, there's a process they can take, and if they wish to maintain the packages, they can do so as well. No duplication of effort.

I lean towards two. Are we going to walk away from these packages? No. We'll still retain primary maintainership and do most of the work. If we're otherwise busy, might we ask for help every once in a while? Yes, that'd be nice so that we don't have the same problems in Fedora as we did in RHEL.

My (baseless) assertion is that there's two scenarios here: either we (Dogtag) were the only ones not carefully monitoring all our implicit dependencies and their orphaning, or there's more of us out there that don't carefully monitor all our implicit dependencies and notice that they're going away in Fedora. I'm guessing a lot of people who ship code on Fedora (either explicitly as part of the immediate Fedora packagers community or through their own websites and unofficial RPMs) don't carefully monitor devel@. But who knows.

Yes ,we can take over primary maintainership of these packages if you'd like, but I'd still like to leave them in the SIG.

Yeah, I can imagine that especially packagers for RHEL / EPEL were not aware of the ongoing issues with Java packages in fedora.

I think you taking over the role of "main admin" for these packages and adding them to the SIG is a good compromise, for the time being - even it wasn't the initial goal of the SIG to keep packages around indefinitely.

Can you compile a complete list of the SIG packages that you definitely want to keep maintained, so they don't become victims of my regular cleanup procedure?

3 new commits added

  • Add Dogtag PKI as a tracked dependent collection
  • Add initial overview on dependent collections
  • Add information about repository structure
2 years ago

The final list appears to be (according to the updated PR #23):

  • apache-commons-collections
  • apache-commons-daemon
  • apache-commons-lang
  • glassfish-fastinfoset
  • jakarta-commons-httpclient
  • slf4j
  • velocity
  • xalan-j2
  • xsom

I've gone ahead and updated this PR.

Note that glassfish-jaxb (which I maintain and gave to the SIG) appears to have been dropped as a dependency by an intermediate package, so we no longer strictly need it (though, it does appear to be used by other packages).

Great, thanks! I will also update the README to include these packages in the list of packages we want to keep.

Pull-Request has been merged by decathorpe

2 years ago