-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problematic dependencies for downstream projects #758
Comments
/cc @zvonkok |
/cc @mrunalp @kolyshkin |
@giuseppe PTAL |
as much as I like your plan, I am not a maintainer to ack it: https://github.com/opencontainers/runtime-tools/blob/master/MAINTAINERS I think it is better if any maintainer will ack it first |
Thanks @kolyshkin since you're the latest addition approved by @vbatts and @tianon would you take a look at the proposal? |
I am 👍 on attempting to fix these issues. Thanks @klihub! |
Just an update/note related to eliminating |
I willing to help with this work. I see that go version is 1.16 here, and for multierror dependency dropping we could use go's native support for multi error wrapping but that requires bumping the version to at least 1.20. Would folks here be okay with that change as well? |
/assign |
Any thoughts on tagging a new release? I find myself looking at this issue because Toolbx picked up a dependency on tags.cncf.io/container-device-interface, and the tags.cncf.io/container-device-interface module requires:
I see that @mrunalp merged commit 2e043c6bd626. So, maybe we can formalize things by tagging it as |
For github.com/xeipuuv/gojsonschema, perhaps https://github.com/santhosh-tekuri/jsonschema will be an adequate replacement. |
One thought is to move validation-specific code to a separate go submodule. This would mean that only clients that opt-in to validation would depend on the transitive dependency. |
During the review process of the recently merged Kubernetes Dynamic Resource Allocation feature it was pointed out that runtime-tools has a few problems to vendor for otherwise potential downstream projects.
The first problem is the lack of actively tagged releases, which I guess should be relatively easy to solve. The primary concern with the lack of recent tags is that "it's not clear if HEAD of the repo is always expected to be production-worthy".
The remaining problems are related to dependencies which are problematic to inherit downstream, either because of licensing choices (not a CNCF-approved license), or lack of proper maintenance. Those dependencies are considered problematic even if they are isolated within runtime-tools well enough that vendoring runtime-tools typically does not pull any of the actual code from the dependencies downstream. The list of these packages is the following, together with a brief description of the main issues and some potential remedies:
Folks who contribute to DRA and CDI would be willing to do all the heavy lifting if we can agree what lifting with be acceptable. The
hashicorp
andtap-go
bits look fairly straightforward.The
xeipuuv
bits are less so, mostly because there does not seem to be an easy replacement/alternative implementation for JSON-Schema based verification. One possible solution would be to simply split out the JSON Schema validation function fromvalidate
into a new repo, sayopencontainers/[runtime]-spec-validation
. This would be a backward-incompatible change as anyone using schema-based validation would need then to start importing that repo.The text was updated successfully, but these errors were encountered: