[bisq-network/bisq] Upgrade grpc & gson dependencies (#4339)

dmos62 notifications at github.com
Thu Jul 9 10:05:21 UTC 2020


@chimp1984 we were talking with @ghubstan yesterday and I came to think that this is about whether we do the updates early or postpone them. Provided we're talking about updates that don't provide new functionality that's needed at the moment. As a counter-example, updating Guava would provide new utilities that would translate to some additional functionality, as compared to updating GSON or gRPC, which is mostly about transparent things like bugfixes or optimizations.

So thinking that way, we postpone updating GSON and gRPC. That makes sense, in that it's not an essential update right now, and by being conservative we expose ourselves less to malicious updates, as you pointed out. There's also a downside, in that postponed upgrades accumulate a bit like debt and when we finally do upgrade, the batches of upgrades will be larger and thus will bear more risk.

The conclusion I'm coming to is that if there are two extremes in here, rejecting every non-essential upgrade vs. accepting any upgrade, the optimal position is somewhere between the two. It's a balancing act. And, that said, this upgrade proposal seems a pretty safe bet. So is it a good time to make this upgrade? It could be.

I've spelled out my thinking about upgrade policy, because I'm still figuring out what to think about it and what the consesus is.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4339#issuecomment-656036138
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20200709/cb2a1e4d/attachment.html>


More information about the bisq-github mailing list