New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New release #5
Comments
You'll want to direct these questions to @zombified or @tkimnguyen |
@tkimnguyen you can also give |
Thank you both @rafaelbco and @gforcada for the Plone 5 compatibility and other changes. I am checking with my colleagues and will get back to you very shortly. |
Re: the other (non Plone-5 compatibility) changes: as you can imagine, we do use this package, and we designed it to be as simple as possible and to minimize the attack surface. Giving any additional information to potential attackers is generally something to avoid. Adding an API and a view for managing the settings also goes counter to that. I apologize for this misunderstanding and wish we could have communicated this before you went to all this trouble. We understand that you could want to fork this package, and if you do, we would appreciate it if you did not retain the wildcard namespace. On the other hand, we would love for this package (minus the increased attack surface) to be included in core. Can we find a way to make this work? |
It is not clear to me what you want to do. Do you want to revert the changes? Do you want to keep the changes in the repo but not make a new release? Just to add some background information:
|
I didn't imagine, because the only info I had was from @vangheem (who was the author of all commits) and he mentioned he didn't use the package anymore.
Why "also"? What is the other feature that give additional information to potential attackers? |
Just to answer your easy questions right away:
|
Since you're trying to not me piss me off (thanks!) I'll try to convince you to approve the new features. If you're ok with the new features from a technical point of view then the problem disappears. The status message is optional, and it's disabled by default. When it's enabled it's shown only to logged in users. So I see no big issue here. Regarding |
@tkimnguyen if you don't want the changes you can also pin the current version and stick to it. If new development should happen from your side, either double review what will be in master or create a branch out of the last tag you are interested on. If the package is on collective I always assume that is open to everyone to contribute, improve and adapt to their needs as well. Right? |
I'm thinking in one change that can make @tkimnguyen happy: a new boolean
option in the control panel to enable the web api. This option would be
false by default and could not be changed through the web api itself.
Em 18 de ago de 2017 5:04 PM, "Gil Forcada Codinachs" <
notifications@github.com> escreveu:
@tkimnguyen <https://github.com/tkimnguyen> if you don't want the changes
you can also pin the current version and stick to it.
If new development should happen from your side, either double review what
will be in master or create a branch out of the last tag you are interested
on.
If the package is on collective I always assume that is open to everyone to
contribute, improve and adapt to their needs as well. Right?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABCVOhmnVe_KqFU6lSkN9p_6unUfgnthks5sZe49gaJpZM4O6vjM>
.
|
Thanks for your patience and for explaining your reasoning! I think we should go with the idea of changing version numbers to at least 1.1 so that we at Wildcard can pin to the current feature set and you are free to continue developing. Indeed, this is in the collective so that everyone can build on top of it and add to it. Please let me know when you want a release made. |
Could we maintain separate branches for this? We would prefer to leave master as the 'minimalist' branch with the current feature set, and maybe your new features would be added to the 'comprehensive' branch? If your versions are something like 1.1-comprehensive it would be easy to distinguish. |
I'm starting to think that the best solution would be a fork. I would create Forks exists, it's no big deal IMO. I'd like to hear @gforcada opinion on this. |
If wildcard does not plan to further develop. As they prefer a minimalist approach, I would rather keep a branch for them (or anyone wanting only the minimal set) and keep master for "active" development, that's what any outsider to this discussion would think about. As for branches, just like any plone core package, a 1.x branch can be left for the minimalist approach and a 2.x for the new ongoing development. Sounds that good? |
I agree. And it's technically simple. Just release what's in master now as 2.0 and cut a 1.x branch before unwanted features were added. |
I was discussing a bit further with @zombified ... could we have the master branch be the 'minimalist' one? I understood it might be easier to cherry pick commits to the "extras" branch into master than the other way around. |
This is the same suggestion made before and I still prefer the approach suggested by @gforcada. Just to be clear, what I think has to be done is:
This is standard procedure when compatibility breaking features are added to a software package, at least in the Zope world.
I fail to understand why. The master branch is not special regarding the "git cherry-pick" command. |
The reason why we prefer to have master be minimalist is that we want the default add-on to be locked down. Maybe having someone add wildcard.lockdown[extras] would be easy to understand. |
I understand the reason, but I disagree. But it's just my opinion. I'm not the maintainer.
As far as I know the [extras] thing is just to declare extra dependencies. Since the new features do not depend on any extra distribution, this would not work. |
@tkimnguyen @rafaelbco sorry to bother you almost a year later :-) can we get an agreement somehow? Let's see if you both like my plan:
I hope that this is reasonable for you all. I tried to follow best practices and still make it clear which release is what. One last thing, that goes to @tkimnguyen would you be open to allow more maintainers in pypi or would you still prefer to have control over that and keep adding tickets here in the issue tracker whenever a new release is wished for? |
I'm ok with the plan suggested by @gforcada I have not used the version with my changes in production yet, so I think the 2.0 release should be marked as beta. |
@vangheem Can you make a new release or give me permission on PyPI to do so? My username is rafaelbco there.
The text was updated successfully, but these errors were encountered: