search

jazzband / django-two-factor-auth

Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects.
MIT License
1.71k stars 448 forks source link

Breaking changes in minor version release 1.13.2 to 1.14.0 #510

Closed ryancausey closed 2 years ago

ryancausey commented 2 years ago

The 1.14.0 release appears to contain breaking changes. and the CHANGELOG entry includes a note on the breaking changes. If this project is following semver as the Jazzband contribution guidelines state, I believe this release should be 2.0.0.

Expected Behavior

Breaking changes result in a major version release.

Current Behavior

Breaking changes released as a minor version release.

Possible Solution

Re-release 1.14.0 as 2.0.0.

Context

Since I override the built in templates, the changes between 1.13.2 and 1.14.0 broke my login pages. Specifically because it cannot load the two_factor templatetags anymore.

Natureshadow commented 2 years ago

Re-release 1.14.0 as 2.0.0.

Oh, and far more important:

Release 1.14.1, reverting the breaking changes! That should happen immediately, even if a 2.0.0 release needs longer.

claudep commented 2 years ago

Sorry this won't happen. Please pin your dependency if it is an issue for you.

Natureshadow commented 2 years ago

Sorry this won't happen. Please pin your dependency if it is an issue for you.

Eh? What kind of behaviour do you think that is?

You are explicitly using semantic versioning, yet you tell downstreams to not rely on it and instead ditch reasonable handling of security updates?

Natureshadow commented 2 years ago

Oh, and just so you know what this means in reality:

Downstreams that provide reasonable security support might have several supported versions out. In our case, we have AlekSIS-Core 2.4, 2.7 and 2.9 out as supported versions. All of them depend on django-two-factor-auth ^1.x.0, which is correct because we want users to get the most recent, compatible versions of dependencies.

Now, by telling us we have to work around your semver-disrespecting release ourselves, you are telling us that we have to publish maintenance releases of all these supported versions, pinning the dependency to a fixed version – and after that start monitoring django-two-factor-auth manually and backport all future fixes manually because security updates are disabled for it.

With that attitude, you are deliberately fostering maintainer burnout in free software products.

So, please fix the havoc you caused – it is a really trivial thing to do, while working around it is a major catastrophe for downstreams!

hansegucker commented 2 years ago

That's exactly true.