I didn't see a consensus on this topic yet, and a tools release is about to get 
rolling by Steve.

My original driver for this discussion is that if we are going to do 
shrinkwrap, that we do it all the way instead of slapping it on at the end.

Doing it does add more complexity. But it also removes variability, that's the 
part I like. If the majority of folks want to skip the shrinkwrap, I would be 
OK with that as long as we specifically pin all our dependencies ( "foobar": 
"1.2.3" ) in our package.json files (no ".x", no tilde, caret, greater-than, 
etc). That would handle the 1st-level dependencies, but not subdependencies 
since we don't have control of their package.json - it's partway to the 
destination at a lower cost. This also assumes that partway to the destination 
is good enough.

I did add a step to the tools release that the pinned versions get updated at 
the beginning of a release: 
https://git-wip-us.apache.org/repos/asf?p=cordova-coho.git;a=blobdiff;f=docs/tools-release-process.md;h=02d28c97e8dd104528035939049515338347c75b;hp=b5d288b2c5a8d3cb03bb8fc050bf26c8d15d28fb;hb=8ca35fe00cf0e72eb70d05e242fe7021ec65b028;hpb=14983eb014f84e08e7a76f1ab6ffe069b81f6ffa

Comments?

On Sep 22, 2014, at 10:01 AM, Andrew Grieve <agri...@chromium.org> wrote:

> I like having it in. For CCA, we actually did get bit in a release where we
> didn't have a shrinkwrap and a descendant dependency changed and broke
> things on us.
> 
> It's also really nice that when we sign and vote on a release, that doing
> an "npm install" on it down the line will recreate the exact thing we
> tested & signed.
> 
> I think the trouble came along here just from incomplete release step
> instructions. I think that this (lack of clear steps / process) is the real
> problem.

Reply via email to