search

oras-project / rust-oci-client

A Rust crate to interact with OCI registries
Apache License 2.0
93 stars 49 forks source link

Rename crate to `oci-client` #142

Closed flavio closed 2 months ago

flavio commented 3 months ago

We've recently moved this code from krustlet/oci-distribution over there (oras-project/rust-oci-client).

Should we also rename the crate from oci-distribution to oci-client?

We could then make PRs against the projects that are using oci-distribution to have them moved to the new crate. An approximate list can be found here

Reading on the internet, we could issue an informal advisory inside of RustSec. In this way, cargo-audit would inform all the end users of the crate about the rename

thomastaylor312 commented 3 months ago

Hey all, just wanted to tag a few people who I believe are contributors to the following projects for visibility and to make sure people are ok with the change. Feel free to tag someone else if you are not the right person or if you know another project we didn't list, please let us know as well.

Based on what I found as well, the two options seem to be an advisory and/or yanking the old crate once the new one is published. Advisory seems a bit less heavy handed, so that will probably be the best option. We can yank after 6-12 months after publishing the new crate name.

Once we've given people a chance to respond, I think we publish 0.11.0 to the new crate location from the tag so that it is a 1:1 replacement for the current version (we could do one more version back as well if needed), and then all new releases would go to the new crate

Also, to save on commenting again, I am good with this change for the projects I work on

bacongobbler commented 3 months ago

oci-client seems to reflect how we're using this crate in prod, so...

image

flavio commented 3 months ago

LGTM to me too :+1:

astoycos commented 3 months ago

LGTM!

thomastaylor312 commented 1 month ago

Just a heads up that 0.11.0 is now published at https://crates.io/crates/oci-client

thomastaylor312 commented 1 month ago

@flavio Based on the conversation in this issue (and its linked issues), I think we might want to hold off on an informational advisory for a few months to give people time to move over: https://github.com/rustsec/advisory-db/issues/1804

flavio commented 1 month ago

Fine with me. Should we push out a 0.11.1 release of oci-distribution with:

That could be done inside of a special branch, created starting for the 0.11.0 tag of oci-distribution. The goal would be to avoid these changes to reach the oci-client "code"

thomastaylor312 commented 1 month ago

Yeah we can push that up