-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hanno Schlichting wrote:

> +zope.app.applicationcontrol = 3.5.1  # 3.5.2 has incompatible changes
> +zope.app.authentication = 3.6.1  # 3.6.2 has incompatible changes
> +zope.app.catalog = 3.8.0  # 3.8.1 has incompatible changes
> +zope.app.component = 3.8.3  # 3.8.4 has incompatible changes
> +zope.app.container = 3.8.0  # 3.8.1 has incompatible changes
> +zope.app.dav = 3.5.1  # 3.5.2 has incompatible changes
> +zope.app.file = 3.5.0  # 3.5.1 has incompatible changes
> +zope.app.generations = 3.5.0  # 3.5.1 has incompatible changes
> +zope.app.http = 3.6.0  # 3.6.1 has incompatible changes
> +zope.app.rotterdam = 3.5.0  # 3.5.1 has incompatible changes
> +zope.app.security = 3.7.3  # 3.7.5 has incompatible changes
> +zope.app.securitypolicy = 3.5.1  # # 3.5.2 has incompatible changes
> +zope.app.testing = 3.7.3  # 3.7.4 has incompatible changes
> +zope.app.zptpage = 3.5.0  # 3.5.1 has incompatible changes
> +zope.container = 3.8.2  # 3.8.3 has incompatible changes
> +zope.site = 3.6.1  # 3.6.2 has incompatible changes
> +zope.traversing = 3.7.1  # 3.7.2 has incompatible changes

If the comments are valid, these all smell like process fouls:  a new
third-dot release should not introduce backward incompatibilities.

I see the following issues in the zope.app packages:

- - According to the CHANGES.txt for z.a.applicationcontrol 3.5.2,
  the 'zope.ManageApplication' permission moved from z.a.security.
  Given the community's choice to tread a package's ZCML
  as part of its API (which I won't defend, as I disagree with it), this
  change should have resulted in a second-dot bump for each package
  when it occurred.  It also pins the testing-only dependency on
  zope.publisher, which might or might not require a bump.

- - z.a.authentication 3.6.1 both added a new testing dependency
  (zope.login) and bumped the required version of zope.publisher.
  This should have been a second-dot bump, except that zope.publisher
  is a testing-only depenency for the package.

- - z.a.catalog 3.8.1 bumped the required version of zope.publisher.
  This should have been a second-dot bump, except that zope.publisher
  is a testing-only depenency for the package.

- - z.a.component 3.8.4 bumped the required version of zope.publisher.
  This should have been a second-dot bump, as zope.publisher is a hard
  requirement for the pacakge.

- - z.a.container 3.8.1 added a previously undeclared dependency on
  z.a.publisher.  I'm not sure that this change requires a second-dot
  bump, or that any others would have broken Zope2.  z.a.container 3.8.2
  has the bump of zope.publisher as a hard dependency, and should
  therefore require a second-dot bump.

- - z.a.dav 3.5.2 bumped the required version of zope.publisher, which is
  a hard requriement for the package.  This should have been a
  second-dot bump.

- - z.a.file 3.5.1 added a previously-undeclared dependency on
  transaction.  Again, I'm not sure that this required a second-dot
  bump.  It also bumped the zope.publisher dependency, but made it
  a testing-only depenency, which weakens any requirement for a
  second-dot bump in my mind.

- - z.a.generations 3.5.1 added a new hard dependency on
  zope.processlifetime.  This should have been a second-dot bump.

- - z.a.http 3.6.1 made explicit an undeclared dependency on
  z.a.publisher, but also bumped the hard requirement on zope.publisher.
  The latter should have beeen a second-dot bump.

- - z.a.rotterdam 3.5.1 bumped the required version of zope.publisher,
  which is a hard requriement for the package.  This should have been a
  second-dot bump.

- - In addition to issues with moving a permission noted above,
  z.a.security 3.7.5 (the 3.7.4 release was skipped) pins the version
  of zope.publisher, a hard requirement, which should also have caused
  a second-dot bump.

- - z.a.securitypolicy 3.5.2 deleted entire modules full of BBB imports,
  which should have mandated a second-dot bump all on its own.

- - z.a.testing has the zope.publisher bump, but only as a testing
  dependency.  It also relies on the move of setHooks from zope.site
  to zope.component, but I can't tell whether that was already BBB
  compatible.

- - z.a.zptpage 3.5.1 bumped the required version of zope.publisher, which
  is a hard requriement for the package.  This should have been a
  second-dot bump.

In the non-zope.app packages:

- - zope.container 3.8.3 adds two view declarations in its ZCML.  Again
  without defense of the policy, this is an "API change" for the
  package, and should have resulted in a second-dot bump.

- - zope.site 3.6.2 pins the hard dependency on zope.component, and should
  therefore have been a second-dot bump.

- - I cannot see that zope.traversing 3.7.2 introduced any incompatible
  changes.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkwNQBMACgkQ+gerLs4ltQ7tVQCcDz8MtTzHCnCz5oBqkh2Hv+Ig
i04AoL2HWREWK2usey7sTSDI/gygaRz5
=LWRG
-----END PGP SIGNATURE-----

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to