support field to support "license" #218
Comments
|
I added the notes and slides here, and am planning on reviewing next meeting, but definitely pull things out to specifically discuss if it is necessary! |
|
@Eomm did you want to tag this with package-maintenance-agenda to discuss next meeting? |
This is one of the most important questions in this I think. IMO a meaningful change in the support model can be a breaking change. This would be a great thing to have strong documentation on before rolling this out.
I think there might be some work here around "deprecated support models" on a project. Like if you were supported by a company then left said company, now the old support model cannot be accepted anymore, does that also make the package deprecated? If we tie support and license into semver, we might get a bunch of issues like this. Maybe it would be better to version them separately? Something like "Support model 1 applies <v2.0.0 and support model 2 applies >=v2.0.0". If we could capture that in the single file format it would be great because we could avoid tying them together under semver versioning I think.
Lol, well the support model changed to unsupported. So yeah it would be optimal to release a version which updates the support field.
While I am all on board for "solving the worlds problems", I am worried about increasing scope beyond reason. I think making it a file instead of a In general I think we should explore what other ecosystems are doing, and maybe companies like Tidelift and Open Collective. If we find that getting consensus with larger groups to be a problem we should keep focus on node. I think that if we can solve the problem in a node specific way, it would satisfy the goals of the working group. |
|
I don’t think I’m convinced by the package.json arguments. Adding a json key won’t meaningfully affect parsing perf, and there’s already tons of other config that lives there. As far as the license, the file does not necessarily win - it hasn’t been tested in court, and i can absolutely see a spdx compliant license field trumping a separate license file, in some scenarios. Yes, any change in support will always require a publish, regardless of where it lives, because it’s part of the package - not some side channel metadata. |
I sort of agree, but I think having a file format might give us more room to grow in the long run.
You are right, but I was hoping we could find some way to avoid the issue of having to publish tons of extraneous versions when the code parts of a package are not changing. I think probably this is unavoidable though. |
|
Until that’s fixed for readmes, i don’t think it should/can be fixed for other things ¯\_(ツ)_/¯ |
mhdawson
added
the
package-maintenance-agenda
|
I've tagged so its on the agenda for the next meeting. Once we talk through the different options and have agreed on what direction we want to go I'll take a cut at updating our doc. I like the suggestion that the entry in the package.json point to a file (remote or part of the package). Allowing it to be remote allows the support info to be changed without a release. I think @sam-github's point that support is not necessarily tied to a particular release is valid. In addition in many cases the support qualities are not specific to a particular version. For example if the backing is I guess I'm saying that I don't agree with:
and instead the support info is more likely tied to the overall module. I do agree that it might be different for ranges of versions but even in that case the support level might change for a range separately from when those versions were published. |
|
I mainly agree that moving the info in a separate file is ok. Let's say that this "support licence" should explain:
|
|
we'd need something programmatic, not a link to a human-readable markdown section. For what it's worth tho, I still think support is tied to each version of a module. If you release v1.2.3 under a certain support commitment, you should have to provide that support to that version forever, just like a license applies forever. If we want to build in expiration, or updating, that should be part of the support claim, and not implicit. |
the second one doesn't exclude the first one: I saw, for example, a special format for issue templating in Github and also in some headless CMS that apply: (IDK if it is standard or defacto standard) |
|
very true, but it seems much more awkward if we insist people bury HTML comments or similar in their prose. |
|
One other point about why not distributing Agree with @Eomm that we can point {
"support": "gh:org/repo/branch/support.json"
}The JSON file (or any other format that describes support status) describes support in two terms: General and Version specific: {
"contact": {
"bugs": "https://github.com/org/repo/issues/new",
"security": "mailto:[email protected]"
},
"funding": {
"open_collective": "",
"btc": ""
},
"versions": {
"^1.0.0": {
"status": "unsupported"
},
"^2.0.0": {
"status": "lts",
"expires": "1/1/2025"
},
"^3.0.0": {
"status": "bugs-only",
"expires": "1/1/2020"
},
"^3.2.0": {
"status": "active",
"expires": "1/1/2020"
}
}
}(not sure about version ranges. maybe major would be enough but would be also a good idea to open SPEC for minor support status as well) |
|
To me that's the exact reason it shouldn't be a file - support for a version is something you should commit to for the forseeable future, not something you should be able to revoke at any time. this, bu Whether it's part of the package tarball or not, it would need to have some sort of irrevocable/immutable way to communicate and update this information (like npm publishing), and neither a git repo, nor a URL, are those things. |
|
@ljharb Agree and see your point about making it permanent/immutable across releases. This probably involves adding another release in that range if maintainer decides to change support policy for a specific range but probably worth as of simplification. What do you think about allow inlining like this: {
"support": {
"status": "lts",
"expires": "1 year",
"contact": {
"security": "mailto:[email protected]"
},
"funding": {
"open_collective": "",
"btc": ""
}
}
}The |
|
I think that forever support in the package.json for a version it would be practicable only for companies. And for example, if I have:
and I want to change the v1 support to none, I'm restricted to release as minor or patch. How maintainers could apply forever support? |
|
I believe we can support both methods (distributed with pkg or external reference) and individuals/companies can choose between them. They can even switch method in any release/time and we can observe what method will be more adopted. |
|
I'm not a company, and I will be supporting all 100+ packages I maintain forever. Most of them require effectively zero ongoing maintenance cost. (in your example, it's trivial to publish a backport patch to v1 that alters the support imo) |
There's intent, and then there's reality. |
|
@vweevers very true, but so far they're the same :-) and i think it's reasonable that i have to publish a new version when that changes. |
I must 🙇 down to you for the spirit (genuinely), but let's face it - the whole reason this group exists is because very few people have the same commitment as you do. Nor should they. Do we need to take a step back and revisit why do we even have this
I think the currently specified draft serves these purposes well enough and while the concerns raised are valid, I'm wondering if we're heading towards overengineering before we get feedback from actual maintainers trying to use it on their packages? There's no way to enforce the
While I do feel that from the purity perspective, a pointer to a separate file at a canonical URL to define the support level is probably a better choice, I think that asking people to add yet another file might be too much and that the simple field in |
|
i like a timestamp field (maybe Agreed that I'm not convinced about "latest trumps earlier versions", i think "support field + deprecate" is sufficient to cover older versions. I like those enhancements - ie, describing a moving window of support. |
Whatever your good intentions, that's simply not true, unless you live forever! Whether we think people should abandon support for a module or not, people do, so building a mechanism that doesn't allow what people actually do to be communicated seems like its destined for difficulty. Also, some people might decide they want to offer MORE support for old versions, perhaps they decide to offer paid support for old versions, forcing a republish of a new version to change support for an old version seems awkward. I love the simplicity of embedding support info in the npm package, its very attractive, but given the package is immutable, and support is mutable, that isn't going to work well. |
I agree with this in general, but I think some flexibility here is good. I think we could adopt a yaml block like @Eomm points out, which is both human and machine readable. Then we could also allow a more verbose description field which people can give their more details support info. I do think we could restrict it to a whole
It is a standard part of yaml. https://yaml.org/spec/1.2/spec.html#id2760395
I really like the expires, but I think the
I think any specification we make needs to support multiple support blocks for differing version ranges. If we did a yaml document like we mentioned above it could be like: ---
target: ABANDONED
response: NONE
backing: NONE
versions: <3
---
target: SUPERSET
response: BEST-EFFORT
backing: SPONSORED
versions: >=3
...
I think this is a reality we must embrace. If for nothing else exactly the point @sam-github brings up about offering paid support for older versions, which is something we should promote! |
|
What I was initially thinking is that we could use the same json we'd defined, simply export it to a separate file instead of having it in the package.json. I've heard many complaints about yaml files so not sure on switching to that. EDIT: although I do agree we might want to extend it to that we can have an entry per version range. I also agree with
|
I guess my thinking there was that at least yaml has comments and is relatively human readable. But I don't strongly care, JSON is good with me. |
|
toml > > > yaml, but json is probably simplest. |
|
Is there anything preventing us to support json5 comments? :D |
|
no need, json has comments: {
"some field": "this is a comment!",
"some field": "this is the real value of the field"
}tools that cause the comment to be discarded are broken :-p |
|
Starting from the @pi0 proposal I would try to propose this version: |
|
Should we move funding and contact into the support key? Seems like funding is part of the support model. PS lol |
|
My idea was to define an array of support based on the versions range and I thought the contacts and funding were constant across all the versions. |
Are they? What I meant was that sometimes if the maintainer changes the funding or contact info changes along with it. Maybe we could support both ways and let the version one supersede the global one? EDIT: or maybe it is alright to throw away the old info when it changes? I don't know. |
|
I think moving the contact info into the support key is the safest approach and I don't think there will be so many variations that any duplication will matter. |
|
Should have also said I also think moving the funding into the support key also makes sense. |
|
Do you mean like this (without replicating the Then I will try to make a PR as the next step |
|
@Eomm I meant moving contact and funding into the objects in the"versions" section to that each of those entries could have different contacts and funding info. It covers the most different situations. |
In the slack channel there are the raw notes written down by @craftninja 👏 , during the OpenJS Summit.
The main feedback we get is that the
supportfield in our draft could be more attractive if not included in the package.json.The reasons pointed out are:
supportfield?So the suggestions received are:
SUPPORT.mdLet's reinvent our draft
supportin a best solution ✌(I will post my thought in a separate post)
The text was updated successfully, but these errors were encountered: