RFC2: Dependency policy
- date: 2023-11-10
- author: Tom Kralidis
- contact: firstname.lastname@example.org
- status: draft
- modified: 2024-01-06
This RFC outlines pygeoapi policy on upstream dependency management, development and stable branch workflow.
Having started in 2018, a core goal of pygeoapi was to develop and provide an OGC API server that is light on core dependencies. Since then, the project has experienced considerable success in the number of features implemented and standards supported. A reality of the aforementioned has been the addition of numerous dependencies that have impacted the codebase on various operating systems and environments.
pygeoapi is currently provided for the below:
Operating systems and build systems are managed on schedules and timelines that are driven by project requirements. As a result, various differences in dependencies and requirements arise. This is especially evident when adding features based on new packages that are available on some environments but not others.
Given the above, it is critical that pygeoapi establish a dependency policy in order to manage development.
On a major or minor release, pygeoapi will implement a stable branch which is pinned to the dependencies at the time of release against master. In particular for a given dependency version such rules shall be met:
- the dependency must not have known high or critical vulnerabilities
- the Python dependency must have a corresponding operating system package for the supported Ubuntu version at the time
As a result, stable branch shall only rely upon those libraries (and respective versions) which can be found on the above given OS baseline repositories. At the same time, the Docker image built with all the dependencies from stable branch must not have known high or critical vulnerabilities.
master branch dependencies and requirements shall be possibly consistent against a given operating system baseline:
- pip3 requirements
- Ubuntu dependencies (nice to have but not mandatory, see below for fixes)
- Docker / Docker Compose
Fixes will be made and backported to stable branches as required. For security fixes, stable branch dependencies shall be updated as required.
Adding/Removing (new) dependencies
Careful consideration shall be given when new dependencies are proposed. New dependencies represent long term commitment and maintenance to dependency management and stability of pygeoapi.
Any new dependency that does not have a corresponding Debian or Ubuntu package shall be fixed as soon as possible and the missing package made available via Ubuntu within 120 days (4 months). If the dependency is not made available to the given distributions in the approved timeline, the developer who introduced the dependency is responsible for removing/reverting/replacing the dependency and the associated code in the codebase.
The pygeoapi PSC reserves the right to remove/revert/replace the dependency and its associated code.
Changes (Pull Requests) which add or remove dependencies shall be discussed and have a minimum of two approvals from the PSC.
To bootstrap this RFC, the following baseline is proposed:
- master branch shall be compatible to dependences available on Ubuntu 22.04
Adopted on 2024-01-06 with +1 from francbartoli, justb4, pvgenuchten, jorgejesus, tomkralidis, kalxas