Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release Notation HashiCorp Vault plugin 0.1.0 #14

Open
FeynmanZhou opened this issue Nov 17, 2023 · 3 comments
Open

Release Notation HashiCorp Vault plugin 0.1.0 #14

FeynmanZhou opened this issue Nov 17, 2023 · 3 comments

Comments

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Nov 17, 2023

Hi maintainers,

As the majority development and test of Notation HashiCorp Vault plugin has been completed, it's time to start the v0.1.0 release process for the next step.

Before we start release process, we will need to revisit the HashiCorp OSS license change tracked in cncf/foundation#617. notation-hashicorp-vault uses vault API as a direct dependency.

Looking at the HashiCorp statement and Vault API license file, HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0, as well as Vault API. I assume it is compliant to use Vault API as a dependency in notation-hashicorp-vault.

To make sure we are following an compliant practice before releasing notation-hashicorp-vault project, I suggest holding on the release process before Dec 1, 2023 and gather feedback from the community and CNCF during this period.

If there is no concern from the community and CNCF, we could start the release process on Dec 1, 2023

@cipherboy
Copy link

From what I recall of the license changes, it shouldn't impact our ability to release or test, assuming we stick to code in the SDK/API, which IIRC we did as a best practice. (At least, based on my past reading of that CNCF issue, nobody has had issues getting exceptions for retaining SDK/API dependencies against Vault).

Has the CNCF taken a stance on automated integration testing against Vault?

The issue with the current API and SDK packages was the OpenAPI repo was still immature, so I wouldn't have relied it for release software... The in-repo API package lacked any typing associated with it and so I'd feel a lot less comfortable releasing that without integration tests than I would one built on OpenAPI.

It looks like it remains beta but MPL, so we could use it once it matures, if we cannot add automated tests now: https://github.com/hashicorp/vault-client-go/blob/main/LICENSE

@cipherboy
Copy link

Ah, it looks like my question on integration tests was asked here: cncf/foundation#617 (comment)

AFAICT they're still present though I am not familiar enough with the CI infra to tell if its actually used.

So I think we're good.

@cipherboy
Copy link

@FeynmanZhou Do you know if there's standard build tooling for Notation project we can use? Now that OpenBao has completed its first GA release, I can take a stab at a test suite here and we can vet this prior to releasing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants