-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Semantic versioning for slsa-github-generator releases #1253
Comments
I agree in principle that software should continue to work even if you don't upgrade and I think in hindsight it might have been prudent for us to not GA slsa-github-generator workflows or make any assertions about it working until Rekor's public instance was GA and we had better tests in place for Rekor changes. We and the sigstore team didn't foresee the issues with new Rekor versions. I also agree we'd like to give users options and not rely on Rekor as much. However, transparency logs are an important part of keyless signing and verification so even if we reduce our reliance on the public instance of Rekor, we would still need to rely on some instance of Rekor somewhere. We are considering adding support for private instances of Rekor which would allow users to not rely on the public instance, but requires users to run their own instance of Rekor. We are also considering adding "offline" verification to the slsa-verifier but this only partly solves the issue as IIUC it's just simply caching TUF roots. We can't really remove reliance on Rekor without requiring users to bring and manage their own keys, which has its own security issues.
I'm curious about your thoughts but I'm not sure I understand you fully. How your are describing semver is how I understand it as well. I'm not sure semver really makes it clear what to do when a particular version of the software no longer works and an upgrade is required even though the API has not changed. Some questions in my mind:
|
Thanks @ianlewis for the answer.
So we should expect
I agree with you that semver doesn't currently specify how to deal with availability of a service. But I would argue it's the responsibility of the maintainers of the Rekor instance to solve this issue by providing a versioned service, which cannot just become unavailable suddenly. That's a standard expectation in industry AFAIK.
I would have not started with version
I think "deprecate" was not the right word. I would have said the workflow is not "available" anymore and bump to |
This is something I expect from Rekor moving forward now that it is GA. We are also working with them to add tests to ensure that older clients do not break when the server is upgraded.
Yes. This is standard practice and I expect it from Rekor moving forward. Since it wasn't GA it broke older clients a few times in the past but in the future if that happens I expect it to be caught before release, or for service to be restored to supported clients.
I think that's fair. We should have waited for GA of Rekor to make our workflows GA. Though, the cat was kind of out of the bag once we released v1.0.0. We can't really undo that decision even if it was made in error.
I see. I think "available" is the wrong word since it's still available in the strict sense because we aren't going to delete the tags from the git repo. How about "not supported"? Does that work? |
"not supported" might imply it's not maintained anymore. How about "withdrawn"? Or anything that communicates the workflows does not work anymore. |
Thanks. I updated the warnings on v1.2.0 and v1.2.1 releases to the following. Hopefully this is strong enough language that they should not be used and that they will not work. v1.2.1 v1.2.0 |
I'm going to close this since there aren't any actions left to do. We've improved our practices somewhat, like keeping a good change log and requiring conventional commits to avoid semantic versioning issues in the future. |
The current versions of
slsa-github-generator
releases are not accurately following the semantic versioning rules, which causes confusions as the bots, such as Renovate send update PRs.For instance,
v1.2.1
is bumped tov1.2.2
, which means the updated version should fix a bug but generallyv1.2.1
should still work as there is no breaking change. However, looking at the release notes of v1.2.1, looks likev1.2.1
is not working anymore (which is not the same as deprecated actually). Based on semantic versioning rules for deprecated functionality, I would have expected to seev1.3.0
as a version that will be deprecated but still works, andv2.0.0
to actually remove the functionality with a breaking change.That being said, I think the current version of
slsa-github-generator
releases have to consider two aspects while bumping a version:To avoid all these problems, it seems crucial to remove reliance on Rekor to begin with, and only then the versions can be meaningful.
The text was updated successfully, but these errors were encountered: