Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dependencies: initial external dependency policy. #12952

Merged
merged 5 commits into from
Sep 9, 2020

Conversation

htuch
Copy link
Member

@htuch htuch commented Sep 2, 2020

This will apply to all changes to external dependencies in future PRs.

Signed-off-by: Harvey Tuch htuch@google.com

This will apply to all changes to external dependencies in future PRs.

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch
Copy link
Member Author

htuch commented Sep 2, 2020

CC @envoyproxy/maintainers @envoyproxy/security-team

Signed-off-by: Harvey Tuch <htuch@google.com>
Signed-off-by: Harvey Tuch <htuch@google.com>
Copy link
Contributor

@alyssawilk alyssawilk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome - thanks for putting it together!

DEPENDENCY_POLICY.md Outdated Show resolved Hide resolved
We rely on community volunteers to help track the latest versions of dependencies. On a best effort
basis:

* Core Envoy dependencies will be updated by the Envoy maintainers/security team.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We really only update deps when needed for security reasons correct? Generally if someone wants an upgrade due to some shiny new feature they have done the work and we review. Are you suggesting we change that, or think it's worth clarifying?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we usually update dependencies continuously; @moderation has been responsible for a lot of this, see history at https://github.com/envoyproxy/envoy/commits/master/bazel/repository_locations.bzl.

There has been some high profile upgrades that were not really plausible to do mechanically as they required code changes, e.g. http-parser, but these are more the exception than rule.

I reckon it's better to try and stick with latest release version. The rationale for this is:

  • Many code improvements are made in projects that can impact security that fall below the threshold of CVE.
  • Many projects don't have long-term support branches, e.g. if we were talking Linux kernel, maybe it's fine to live on 4.0.x as you know this will have active support for a significant period of time.
  • For folks who operate monorepos (cough), other projects force dependencies to be brought forward in time.

The downside is we have more churn and less burn time for a given dependency version.

tools/protodoc/requirements.txt Outdated Show resolved Hide resolved
@mattklein123 mattklein123 self-assigned this Sep 2, 2020
Signed-off-by: Harvey Tuch <htuch@google.com>
Copy link
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting this together. One small comment and I would suggest shipping and iterating.

DEPENDENCY_POLICY.md Outdated Show resolved Hide resolved
Signed-off-by: Harvey Tuch <htuch@google.com>
Copy link
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@htuch htuch merged commit f464323 into envoyproxy:master Sep 9, 2020
@htuch htuch deleted the external-dep-policy branch September 9, 2020 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants