cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: [DISCUSS] Packaging in 4.1
Date Sun, 03 Feb 2013 23:11:02 GMT
On Sun, Feb 3, 2013 at 3:58 PM, Rohit Yadav <bhaisaab@apache.org> wrote:
> On Sun, Feb 3, 2013 at 3:07 PM, David Nalley <david@gnsa.us> wrote:
> ...
>>
>> So EL6 has pygments 1.1.1 - you require 1.5, so in some ways it's
>> worth than clint (clint is in EPEL, but no new version of pygments in
>> EPEL/CentOS-Extras/CentOS-Plus)
>
> I want people to use pip to install the cli because it's the easiest
> and because rpm/deb packages may have dependency issues like you
> mentioned => may not work on all distros, what we can do is when
> people install cloudstack-cli rpm or deb, it runs a script that
> installs pip (if unavailable) and cloudmonkey. cloudmonkey is pure
> python, so the rpm/deb can also ship bundling src tarballs of
> cloudmonkey and its dependencies and install from it. Advise best way
> of doing this?

I guess we won't be installing the CLI via RPMs at least for EL6.

You are assuming that they would have internet access when installing
- which is not a valid assumption.

Honestly, the above idea makes me blanch. A package that reports as
installed, and may or may not have installed - may have installed a
compromised package (see rubygems.org compromise recently, kernel.org,
and a number of other site compromises.), or might have installed
packages I didn't know about is a Bad Idea (tm) The sysadmin doesn't
know you are installing some of the dependencies, there is no record
of those packages in the package manager, and there might potentially
be conflicts with system packages, a security vulnerability in one of
those dependencies wouldn't be caught on audit, etc etc.

And I really don't intend for this to sound like a rant, but the one
of the important benefits behind using packages and a package manager
is that a sysadmin needs (and often is required to have by government
regulations) a single source of truth about the software installed on
a machine. Developers love things like Maven central, pypi, CPAN, and
rubygems, and for good reason, they are fast, flexible, and make their
life easy. To a sysadmin managing machines in production, they are
anathema; they make system state difficult or impossible to determine,
they make audits painful. In addition they make troubleshooting
incredibly difficult. Do I have $foo installed - which version? Are
there multiple copies of $foo installed on the system? Which one is
actually being called/loaded?

--David

Mime
View raw message