Giters

hashicorp / packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.

Home Page:http://www.packer.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Packer doesn't follow semantic versioning

twalker1998 opened this issue · comments

commented

Hi,

I looked through community resources, and couldn't find a discussion about this. Please direct me to any discussions I might have missed.

In Packer version 1.10.0, certain plugins were removed from Packer core. I don't have any objections to these removals- ultimately I agree that these plugins shouldn't be shipped with Packer core.

However, my team uses Packer in a completely airgapped environment, and all new software (i.e. Packer plugins) must be approved by our security and legal teams, which is a long and arduous process.

We were forced to upgrade the version of Packer we use from 1.8.x to 1.10.x due to CVEs we discovered in 1.8.x, which broke a number of pipelines that utilized the Amazon and Ansible plugins. This package upgrade did go through the review process mandated by our security and legal teams, but the breaking change was missed, as this was a minor version change. We are now stuck in a holding pattern until our security and legal teams review the usage of the plugins that were removed.

Could we downgrade to 1.8.x? Sure, but that opens us up to a number of CVEs. Should we have validated that upgrading to 1.10.x had no breaking changes? Absolutely.

My question is though- considering breaking changes to Packer were clearly introduced in a minor version release, is it safe to assume that Packer is not following semantic versioning? And if semantic versioning is not being followed, is there any documentation that explains the versioning strategy that Packer is using?

commented 
Hi 👋 thanks for reaching out.

For general questions we recommend reaching out to the [community forum](https://discuss.hashicorp.com/c/packer) for greater visibility.
As the GitHub issue tracker is only watched by a small subset of maintainers and is really reserved for bugs and enhancements, you'll have a better chance of finding someone who can help you in the forum.
We'll mark this issue as needs-reply to help inform maintainers that this question is awaiting a response.
If no activity is taken on this question within 30 days it will be automatically closed.

If you find the forum to be more helpful or if you've found the answer to your question elsewhere please feel free to post a response and close the issue.