-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/1.7] Bump tags.cncf.io/container-device-interface to v0.7.2 #10077
[release/1.7] Bump tags.cncf.io/container-device-interface to v0.7.2 #10077
Conversation
Hi @elezar. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
22559ab
to
c51fd4c
Compare
go.mod
Outdated
|
||
// We replace the v1.2.0 runtime-spec required by container-device-interface with v1.1.0. | ||
replace github.com/opencontainers/runtime-spec v1.2.0 => github.com/opencontainers/runtime-spec v1.1.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious; was there anything in runtime-spec 1.2.0 that's required by CDI, or does the repo have dependabot enabled, therefore automatically updating dependencies to "latest"?
The problem with a replace rule is that they only apply locally, and not to any consumer of the containerd module (i.e., anyone updating the containerd module will still be forced to update the runtime-spec).
If CDI itself does not require any of the features added in v1.1.0 or v1.2.0 of the spec, the correct approach may be to lower the required version (similar to containerd/platforms#5, which was opened for this reason)
Go modules uses "Minimum Version Selection" (MVS); https://go.dev/ref/mod#minimal-version-selection. For libraries, this means that the go.mod
should always contain the minimum version needed to satisfy the library's requirements; which could be an older version of the runtime-spec (e.g. 1.0.0) of that version has all the required features. Specifying a low version means that consumers of the module can decide what version to use, as long as it's SemVer compatible (go modules dictates that SemVer must be followed, so if the module requires (say) v1.0.0, then consumers are allowed to pick any v1.x.x version that they need).
In some cases, it may be needed to update minimum required version if a dependency contains a vulnerability in parts of the code that's used; but strictly only if the code that's used is affected (this may be a bit of a grey area).
Dependabot can be a bit of an issue in these situations, as it directly conflicts with MVS principles when used on a library module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There shouldn't be anything that we require from the v1.2.0
, so we could definitely decrease the dependency there. We do have dependabot enabled in the repo and as you point out, we could look at disabling it instead.
Note that we do use github.com/opencontainers/runtime-tools
to make OCI spec modifications and this has its own spec dependency: `https://github.com/opencontainers/runtime-tools/blob/master/go.mod#L11
This has also already caused issues in cri-o/cri-o#7971 where the testing infrastructure (which uses crun
) has not yet been updated to a crun version that supports a lower spec.
@klihub for your information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have created cncf-tags/container-device-interface#202 to decrease the dependency version.
Looks like this can be updated to v0.7.2 now to get the updated/lowered dependency |
This includes migrating from cdi.GetRegistry() to cdi.Configure() and using top-level cdi Refresh and InjectDevices functions as applicable. Signed-off-by: Evan Lezar <elezar@nvidia.com>
c51fd4c
to
7a2f49f
Compare
Updated the PR. PTAL. |
This includes migrating from cdi.GetRegistry() to cdi.Configure() and using top-level cdi Refresh and InjectDevices functions as applicable.
This backports the changes from #10041 to support the
v0.7.0
CDI spec version.