This document outlines recommended Vendoring policies for Docker repositories. (Example, libnetwork is a Docker repo and logrus is not.)
Commit ID based vendoring provides little/no information about the updates vendored. To fix this, vendors will now require that repositories use annotated tags along with commit ids to snapshot commits. Annotated tags by themselves are not sufficient, since the same tag can be force updated to reference different commits.
Each tag should:
Each repo should:
The goal here is for consuming repos to be able to use the tag version and changelog updates to determine whether the vendoring will cause any breaking or backward incompatible changes. This also means that repos can specify having dependency on a package of a specific version or greater up to the next major release, without encountering breaking changes.
Annotated version tags should follow Semantic Versioning policies:
"Given a version number MAJOR.MINOR.PATCH, increment the:
Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format."
In order to avoid huge vendoring changes, it is recommended to have a regular cadence for vendoring updates. e.g. monthly.
All related repos will be vendored into docker/docker. CI on docker/docker should catch any breaking changes involving multiple repos.