rust-oci-client icon indicating copy to clipboard operation
rust-oci-client copied to clipboard
verified publisher icon oras-project

Rename crate to `oci-client`

Open flavio opened this issue 1 year ago • 4 comments

We've recently moved this code from krustlet/oci-distribution over there (oras-project/rust-oci-client).

Should we also rename the crate from oci-distribution to oci-client?

We could then make PRs against the projects that are using oci-distribution to have them moved to the new crate. An approximate list can be found here

Reading on the internet, we could issue an informal advisory inside of RustSec. In this way, cargo-audit would inform all the end users of the crate about the rename

flavio avatar Jun 27 '24 13:06 flavio

Hey all, just wanted to tag a few people who I believe are contributors to the following projects for visibility and to make sure people are ok with the change. Feel free to tag someone else if you are not the right person or if you know another project we didn't list, please let us know as well.

  • bpfman: @astoycos
  • Kata Containers: @fidencio
  • Kubewarden: @flavio
  • Sigstore: @flavio
  • Spin: @bacongobbler
  • wasmCloud: @thomastaylor312
  • wasm-pkg-tools: @thomastaylor312 and @lann

Based on what I found as well, the two options seem to be an advisory and/or yanking the old crate once the new one is published. Advisory seems a bit less heavy handed, so that will probably be the best option. We can yank after 6-12 months after publishing the new crate name.

Once we've given people a chance to respond, I think we publish 0.11.0 to the new crate location from the tag so that it is a 1:1 replacement for the current version (we could do one more version back as well if needed), and then all new releases would go to the new crate

Also, to save on commenting again, I am good with this change for the projects I work on

thomastaylor312 avatar Jun 27 '24 17:06 thomastaylor312

oci-client seems to reflect how we're using this crate in prod, so...

image

bacongobbler avatar Jun 27 '24 19:06 bacongobbler

LGTM to me too :+1:

flavio avatar Jul 01 '24 07:07 flavio

LGTM!

astoycos avatar Jul 01 '24 13:07 astoycos

Just a heads up that 0.11.0 is now published at https://crates.io/crates/oci-client

thomastaylor312 avatar Aug 08 '24 17:08 thomastaylor312

@flavio Based on the conversation in this issue (and its linked issues), I think we might want to hold off on an informational advisory for a few months to give people time to move over: https://github.com/rustsec/advisory-db/issues/1804

thomastaylor312 avatar Aug 08 '24 18:08 thomastaylor312

Fine with me. Should we push out a 0.11.1 release of oci-distribution with:

  • the docs updated to point out the rename
  • cargo metadata (the one shown inside of crates.io) updated to reflect the rename

That could be done inside of a special branch, created starting for the 0.11.0 tag of oci-distribution. The goal would be to avoid these changes to reach the oci-client "code"

flavio avatar Aug 09 '24 08:08 flavio

Yeah we can push that up

thomastaylor312 avatar Aug 09 '24 15:08 thomastaylor312