cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remi Bergsma <RBerg...@schubergphilis.com>
Subject Re: Package Repositories
Date Thu, 26 Nov 2015 16:22:00 GMT
Hi all,

I do appreciate any effort to make it easy for users. My main point of worry is that it is
confusing to have different companies supply packages of what is supposed to be a single product.
Which one should they pick?

If we look at it, we have two types of packages: the OSS and NOREDIST versions. It does make
sense to list those and make them available for easy use. I’m also fine with mentioning
they were build by 3rd parties as the project currently doesn’t officially release them.
I just really don’t like putting links to company web sites that give users the impression
there are many different versions. In the past months we’ve had several users on the list
reporting they run the “ShapeBlue” version. I just don’t know what that means and if
it indeed happens to be the same then I think it’s weird they even mention it. It is confusing.
We should’t be doing that IMHO.

I propose to put those packages on a generic domain like packages.cloudstack.org (or something
with apache.org), have them build and published by Jenkins and then have companies like ShapeBlue,
PCExtreme, Schuberg Philis, etc etc provide mirrors to serve different regions. The DNS would
simply resolve to one of the mirrors, or whatever config we want. We then get the best of
both: one place to go for users (for both OSS/NOREDIST) backed by any company or person in
the community that wants to sponsor resources. Jenkins can be controlled by any one of us
already. Any link on the website, in documentation and hardcoded links in the source should
point to the generic url.

Regards,
Remi




From: Rohit Yadav <rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>>
Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
Date: Thursday 26 November 2015 16:32
To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
Subject: Re: Package Repositories

Just some points of information from my side;

- We (bunch of people at ShapeBlue) took this initiative to provide packages as a convenience
to users, there were existing 3rd party repositories at that time but we found they were poorly
maintained, for example - packages and systemvmtemplates were not readily available after
any release or after discovery of any security issues (such as ghost, poodle issues etc)

- We also wanted to list all the things new users would need on *a single page* such as where
to get packages, systemvmtemplate and documentation, see http://shapeblue.com/packages. This
page has all the necessary information about the packages such as what they are (upstream,
main etc) and how they were built and other information. None of the other 3rd party repos
did that at the time, and we kept our promise to maintain this for users and I’ve been doing
this since 4.3/4.4 timeframe, including any security advisory that was needed via our blogs
(for example, ghost/poodle systemvmtemplate updates etc).

- We also wanted to share our custom patches which were simply packages built from official
releases with additional/critical bug fixes, the value we produced for our customers here
was the ability to get such packages and we thought it would be good to share them with users
and community

- We also wanted to share custom packages that were backported features on official releases
and that were aimed to be future upgrade-able to upstream packages (for example, saml+quota
on 4.5 release at http://packages.shapeblue.com/cloudstack/custom, and users can upgrade to
4.6/4.7 in future). A popular reason is that, users won’t really upgrade to major releases
just because they are out, typically I’ve seen users upgrade once or twice a year, while
some users really avoid upgrading at all and but would prefer upgrading to minor releases
(a reason why we maintain old branches or do minor releases).

- Information was always available here on whom to contact, sponsors of the repos etc: http://packages.shapeblue.com/README.txt
and recently here: http://packages.shapeblue.com/cloudstack/README.txt. I’ve personally
received several email regarding the repository and have been supporting users both privately
if they would email me personally, or on users@ ML.

- We also allow people to mirror our repos via rsync: (try rsync rsync://packages.shapeblue.com),
here a mirror hosted by Lucian: http://mirrors.coreix.net/packages.shapeblue.com (Lucian mirrors
several 3rd party repos including cloudstack.apt-get one), http://mirror.bhaisaab.org (this
for example is faster for Asian geographies)

- The ShapeBlue provided repo is too maintained by members of the community who happen to
be affiliated with one company but that does not make it better or worse than others

- The repository link was added about a year ago by myself on the old site (apache cms based
system, before we moved to github/middleman/asf-site based publishing) as a convenience to
users. The shapeblue.com/packages<http://shapeblue.com/packages> page, by default shows
information on consuming the upstream packages/repo (noredist builds from official releases
with no changes) and we don’t favour or recommend consuming from main or custom or any other
repos.

Regards.

On 26-Nov-2015, at 3:17 PM, sebgoa <runseb@gmail.com<mailto:runseb@gmail.com>>
wrote:


On Nov 26, 2015, at 7:52 AM, John Burwell <john.burwell@shapeblue.com<mailto:john.burwell@shapeblue.com>>
wrote:

All,

A conversation emerged on a PR [1] regarding how package repositories should listed on the
downloads page [2].  This PR was prompted by a change on the page which removed reference
to the ShapeBlue repositories.

Let me touch base with Pierre-Luc to see what happened. It seems he removed it, but he is
also the one who added it in the first place.

The PR proposes listing all "3rd-Party Distributions" in a separate section in the same manner
as the Apache Cassandra [3] project — clearly stating that the package repositories are
not endorsed by the community.  Objections were raised that the apt-get.eu<http://apt-get.eu/><http://apt-get.eu<http://apt-get.eu/>>
repository is a “blessed” community repository, and therefore, not a third party repository.
 To the best of my knowledge (and my ability to search the mailing list archives), I can not
find a vote that changed the project deliverables to include distribution packages or a particular
repository for them.

There was no vote on this, and we should not get down that path of arguing about whether apt-get.eu<http://apt-get.eu/>
is blessed or not.

Very early when CloudStack arrived at apache, Wido started hosting packages and has kept doing
it, on his own time on his own budget. He has been kind enough to give access to the server
to a few of us and can give access to people who request it.

Hence this evolved as the "community repo".

However since we only vote on source, we do not vote on packages and we should not say that
this "community repo" is a blessed repo (there is a bit of grey area here).

We have always said that this is a community maintained repo in contrary to an official ASF
repo.


Furthermore, the vote for 4.6.0 was only for the source deliverable — not distribution packages.
 As such the packages contained in the apt-get.eu<http://apt-get.eu/><http://apt-get.eu<http://apt-get.eu/>>
repository are no more “blessed” or endorsed than any other packages distributed by other
parties.


They are not blessed (as voted on), but have grown organically to be maintained by several
folks with different affiliations.

In my opinion, favoring one 3rd-party repository over another is detrimental to the community.
 We should either list all maintained 3rd-party package repositories or we should list none
at all.   By maintained, I mean a repository that meets the following criteria:

*   All contained packages are built from project release tags
*   The packages contained in the repository are up-to-date with latest release tags

The only variations in the packages across “maintained” repositories should be the plugins
from the CloudStack source tree included in the package.  In order to be listed on the downloads
page, a repository must meet this definition and provide a brief description of the repository’s
purpose.

Some on the PR discussion asked about the purpose and composition of the packages in the ShapeBlue
repository.  The packages in the ShapeBlue repository are noredist builds of community release
tags.

Remembering when Rohit started this, (as he happened to be at my house couple times during
that timeframe), the idea that triggered this was to start build packages for every commit,
not just releases. As well as starting to offer packages that contained hot fixes.

They contain no additional patches or changes.

This repository was created to provide users with an convenient/familiar way to install the
noredist build of a release.

Finally, as I have stated elsewhere, I think the project should build distribution packages
signed by the project and distributed from official package repositories.  However, we must
come to a consensus as community this change in deliverables and work out a variety of issues
(e.g. supported platforms, repository management, signing, etc) to ensure that users receive
well-tested, community voted packages.  Finally, it seems like there will be a role for 3rd-party
repositories now and in the future.  Listing all available 3rd-party repos as I propose would
be convenient for users, and ensure fairness to all contributors.

Thanks,
-John

[1]: https://github.com/apache/cloudstack-www/pull/20
[2]: http://cloudstack.apache.org/downloads.html
[3]: http://cassandra.apache.org/download/


All in all, as was mentioned by Pierre Luc on the PR, I do not see a problem with listing
(on the www download page):

* Official source
* Community maintained repo (not voted but maintained by more than single vendor)
* Third party repo

In the rest of the documentation however, I don't think we should be using vendor specific
URLs.

The only risk with this is the user "confusion" question:

- What is different between the repos ?
- Which one should I use ?
- I used a third party repo, I have a problem who can help me ?




---
John Burwell (@john_burwell)
VP of Software Engineering, ShapeBlue
(571) 403-2411 | +44 20 3603 0542
http://www.shapeblue.com | @ShapeBlue
53 Chandos Place, Covent Garden, London, WC2N 4HS



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

Rohit Yadav
Software Architect

[cid:image003.png@01D122E8.F6EFE910]


S: +44 20 3603 0540<tel:+442036030540> | M: +91 88 262 30892<tel:+447770745036>

rohit.yadav@shapeblue.com<mailto:steve.roles@shapeblue.com> | www.shapeblue.com<http://www.shapeblue.com/>
| Twitter:@ShapeBlue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message