Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cloudstack.apache.org
Date: Thu, 26 Nov 2015 17:08:26 +0000 (GMT)
From: Nux! <nux@li.nux.ro>
To: dev@cloudstack.apache.org
Message-ID: <772480582.69791.1448557706225.JavaMail.zimbra@li.nux.ro>
In-Reply-To: <D2E41035-5C4C-4266-92C9-374CEFAC8F69@schubergphilis.com>
References: <8238AF81-2BB2-4AEB-978E-906EA887BFCD@shapeblue.com>
 <221C98A8-FE8B-4ACE-B8FF-5034997A6CC5@gmail.com>
 <302E0759-A8BC-478A-8B27-84258B63A2F9@shapeblue.com>
 <D2E41035-5C4C-4266-92C9-374CEFAC8F69@schubergphilis.com>
Subject: Re: Package Repositories
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Thread-Topic: Package Repositories
Thread-Index: AQHRKBcSR0mTBY4TJ0eaaJ2uCfeb356t/h4AgABgLICAAB6ugHwwcuIW

+1 what Remi said.=20

Jenkins is already building packages and system templates, when we release =
a version let's also copy one of those builds and make them "official".
Let's use this enhancement as well with a sensible release number (Y-M-D-#b=
uild?) https://github.com/apache/cloudstack/pull/1075

Nothing against listing on the side community builds such as the Shapeblue =
ones and which extra functionality they provide etc.=20
As long as someone installs Cloudstack, it's a win, doesn't matter the pack=
age. :)

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Remi Bergsma" <RBergsma@schubergphilis.com>
> To: dev@cloudstack.apache.org
> Sent: Thursday, 26 November, 2015 16:22:00
> Subject: Re: Package Repositories

> Hi all,
>=20
> I do appreciate any effort to make it easy for users. My main point of wo=
rry is
> that it is confusing to have different companies supply packages of what =
is
> supposed to be a single product. Which one should they pick?
>=20
> If we look at it, we have two types of packages: the OSS and NOREDIST ver=
sions.
> It does make sense to list those and make them available for easy use. I=
=E2=80=99m also
> fine with mentioning they were build by 3rd parties as the project curren=
tly
> doesn=E2=80=99t officially release them. I just really don=E2=80=99t like=
 putting links to
> company web sites that give users the impression there are many different
> versions. In the past months we=E2=80=99ve had several users on the list =
reporting they
> run the =E2=80=9CShapeBlue=E2=80=9D version. I just don=E2=80=99t know wh=
at that means and if it indeed
> happens to be the same then I think it=E2=80=99s weird they even mention =
it. It is
> confusing. We should=E2=80=99t be doing that IMHO.
>=20
> I propose to put those packages on a generic domain like packages.cloudst=
ack.org
> (or something with apache.org), have them build and published by Jenkins =
and
> then have companies like ShapeBlue, PCExtreme, Schuberg Philis, etc etc p=
rovide
> mirrors to serve different regions. The DNS would simply resolve to one o=
f the
> mirrors, or whatever config we want. We then get the best of both: one pl=
ace to
> go for users (for both OSS/NOREDIST) backed by any company or person in t=
he
> community that wants to sponsor resources. Jenkins can be controlled by a=
ny one
> of us already. Any link on the website, in documentation and hardcoded li=
nks in
> the source should point to the generic url.
>=20
> Regards,
> Remi
>=20
>=20
>=20
>=20
> From: Rohit Yadav <rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue=
.com>>
> Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>"
> <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
> Date: Thursday 26 November 2015 16:32
> To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>"
> <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
> Subject: Re: Package Repositories
>=20
> Just some points of information from my side;
>=20
> - We (bunch of people at ShapeBlue) took this initiative to provide packa=
ges as
> a convenience to users, there were existing 3rd party repositories at tha=
t time
> but we found they were poorly maintained, for example - packages and
> systemvmtemplates were not readily available after any release or after
> discovery of any security issues (such as ghost, poodle issues etc)
>=20
> - We also wanted to list all the things new users would need on *a single=
 page*
> such as where to get packages, systemvmtemplate and documentation, see
> http://shapeblue.com/packages. This page has all the necessary informatio=
n
> about the packages such as what they are (upstream, main etc) and how the=
y were
> built and other information. None of the other 3rd party repos did that a=
t the
> time, and we kept our promise to maintain this for users and I=E2=80=99ve=
 been doing
> this since 4.3/4.4 timeframe, including any security advisory that was ne=
eded
> via our blogs (for example, ghost/poodle systemvmtemplate updates etc).
>=20
> - We also wanted to share our custom patches which were simply packages b=
uilt
> from official releases with additional/critical bug fixes, the value we
> produced for our customers here was the ability to get such packages and =
we
> thought it would be good to share them with users and community
>=20
> - We also wanted to share custom packages that were backported features o=
n
> official releases and that were aimed to be future upgrade-able to upstre=
am
> packages (for example, saml+quota on 4.5 release at
> http://packages.shapeblue.com/cloudstack/custom, and users can upgrade to
> 4.6/4.7 in future). A popular reason is that, users won=E2=80=99t really =
upgrade to
> major releases just because they are out, typically I=E2=80=99ve seen use=
rs upgrade
> once or twice a year, while some users really avoid upgrading at all and =
but
> would prefer upgrading to minor releases (a reason why we maintain old br=
anches
> or do minor releases).
>=20
> - Information was always available here on whom to contact, sponsors of t=
he
> repos etc: http://packages.shapeblue.com/README.txt and recently here:
> http://packages.shapeblue.com/cloudstack/README.txt. I=E2=80=99ve persona=
lly received
> several email regarding the repository and have been supporting users bot=
h
> privately if they would email me personally, or on users@ ML.
>=20
> - We also allow people to mirror our repos via rsync: (try rsync
> rsync://packages.shapeblue.com), here a mirror hosted by Lucian:
> http://mirrors.coreix.net/packages.shapeblue.com (Lucian mirrors several =
3rd
> party repos including cloudstack.apt-get one), http://mirror.bhaisaab.org=
 (this
> for example is faster for Asian geographies)
>=20
> - The ShapeBlue provided repo is too maintained by members of the communi=
ty who
> happen to be affiliated with one company but that does not make it better=
 or
> worse than others
>=20
> - The repository link was added about a year ago by myself on the old sit=
e
> (apache cms based system, before we moved to github/middleman/asf-site ba=
sed
> publishing) as a convenience to users. The
> shapeblue.com/packages<http://shapeblue.com/packages> page, by default sh=
ows
> information on consuming the upstream packages/repo (noredist builds from
> official releases with no changes) and we don=E2=80=99t favour or recomme=
nd consuming
> from main or custom or any other repos.
>=20
> Regards.
>=20
> On 26-Nov-2015, at 3:17 PM, sebgoa <runseb@gmail.com<mailto:runseb@gmail.=
com>>
> wrote:
>=20
>=20
> On Nov 26, 2015, at 7:52 AM, John Burwell
> <john.burwell@shapeblue.com<mailto:john.burwell@shapeblue.com>> wrote:
>=20
> All,
>=20
> A conversation emerged on a PR [1] regarding how package repositories sho=
uld
> listed on the downloads page [2].  This PR was prompted by a change on th=
e page
> which removed reference to the ShapeBlue repositories.
>=20
> Let me touch base with Pierre-Luc to see what happened. It seems he remov=
ed it,
> but he is also the one who added it in the first place.
>=20
> The PR proposes listing all "3rd-Party Distributions" in a separate secti=
on in
> the same manner as the Apache Cassandra [3] project =E2=80=94 clearly sta=
ting that the
> package repositories are not endorsed by the community.  Objections were =
raised
> that the apt-get.eu<http://apt-get.eu/><http://apt-get.eu<http://apt-get.=
eu/>>
> repository is a =E2=80=9Cblessed=E2=80=9D community repository, and there=
fore, not a third
> party repository.  To the best of my knowledge (and my ability to search =
the
> mailing list archives), I can not find a vote that changed the project
> deliverables to include distribution packages or a particular repository =
for
> them.
>=20
> There was no vote on this, and we should not get down that path of arguin=
g about
> whether apt-get.eu<http://apt-get.eu/> is blessed or not.
>=20
> Very early when CloudStack arrived at apache, Wido started hosting packag=
es and
> has kept doing it, on his own time on his own budget. He has been kind en=
ough
> to give access to the server to a few of us and can give access to people=
 who
> request it.
>=20
> Hence this evolved as the "community repo".
>=20
> However since we only vote on source, we do not vote on packages and we s=
hould
> not say that this "community repo" is a blessed repo (there is a bit of g=
rey
> area here).
>=20
> We have always said that this is a community maintained repo in contrary =
to an
> official ASF repo.
>=20
>=20
> Furthermore, the vote for 4.6.0 was only for the source deliverable =E2=
=80=94 not
> distribution packages.  As such the packages contained in the
> apt-get.eu<http://apt-get.eu/><http://apt-get.eu<http://apt-get.eu/>>
> repository are no more =E2=80=9Cblessed=E2=80=9D or endorsed than any oth=
er packages
> distributed by other parties.
>=20
>=20
> They are not blessed (as voted on), but have grown organically to be main=
tained
> by several folks with different affiliations.
>=20
> In my opinion, favoring one 3rd-party repository over another is detrimen=
tal to
> the community.  We should either list all maintained 3rd-party package
> repositories or we should list none at all.   By maintained, I mean a
> repository that meets the following criteria:
>=20
> *   All contained packages are built from project release tags
> *   The packages contained in the repository are up-to-date with latest r=
elease
> tags
>=20
> The only variations in the packages across =E2=80=9Cmaintained=E2=80=9D r=
epositories should be
> the plugins from the CloudStack source tree included in the package.  In =
order
> to be listed on the downloads page, a repository must meet this definitio=
n and
> provide a brief description of the repository=E2=80=99s purpose.
>=20
> Some on the PR discussion asked about the purpose and composition of the
> packages in the ShapeBlue repository.  The packages in the ShapeBlue repo=
sitory
> are noredist builds of community release tags.
>=20
> Remembering when Rohit started this, (as he happened to be at my house co=
uple
> times during that timeframe), the idea that triggered this was to start b=
uild
> packages for every commit, not just releases. As well as starting to offe=
r
> packages that contained hot fixes.
>=20
> They contain no additional patches or changes.
>=20
> This repository was created to provide users with an convenient/familiar =
way to
> install the noredist build of a release.
>=20
> Finally, as I have stated elsewhere, I think the project should build
> distribution packages signed by the project and distributed from official
> package repositories.  However, we must come to a consensus as community =
this
> change in deliverables and work out a variety of issues (e.g. supported
> platforms, repository management, signing, etc) to ensure that users rece=
ive
> well-tested, community voted packages.  Finally, it seems like there will=
 be a
> role for 3rd-party repositories now and in the future.  Listing all avail=
able
> 3rd-party repos as I propose would be convenient for users, and ensure fa=
irness
> to all contributors.
>=20
> Thanks,
> -John
>=20
> [1]: https://github.com/apache/cloudstack-www/pull/20
> [2]: http://cloudstack.apache.org/downloads.html
> [3]: http://cassandra.apache.org/download/
>=20
>=20
> All in all, as was mentioned by Pierre Luc on the PR, I do not see a prob=
lem
> with listing (on the www download page):
>=20
> * Official source
> * Community maintained repo (not voted but maintained by more than single
> vendor)
> * Third party repo
>=20
> In the rest of the documentation however, I don't think we should be usin=
g
> vendor specific URLs.
>=20
> The only risk with this is the user "confusion" question:
>=20
> - What is different between the repos ?
> - Which one should I use ?
> - I used a third party repo, I have a problem who can help me ?
>=20
>=20
>=20
>=20
> ---
> John Burwell (@john_burwell)
> VP of Software Engineering, ShapeBlue
> (571) 403-2411 | +44 20 3603 0542
> http://www.shapeblue.com | @ShapeBlue
> 53 Chandos Place, Covent Garden, London, WC2N 4HS
>=20
>=20
>=20
> Find out more about ShapeBlue and our range of CloudStack related service=
s
>=20
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-buil=
d//>
> CSForge =E2=80=93 rapid IaaS deployment framework<http://shapeblue.com/cs=
forge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software
> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-trai=
ning/>
>=20
> This email and any attachments to it may be confidential and are intended=
 solely
> for the use of the individual to whom it is addressed. Any views or opini=
ons
> expressed are solely those of the author and do not necessarily represent=
 those
> of Shape Blue Ltd or related companies. If you are not the intended recip=
ient
> of this email, you must neither take any action based upon its contents, =
nor
> copy or show it to anyone. Please contact the sender if you believe you h=
ave
> received this email in error. Shape Blue Ltd is a company incorporated in
> England & Wales. ShapeBlue Services India LLP is a company incorporated i=
n
> India and is operated under license from Shape Blue Ltd. Shape Blue Brasi=
l
> Consultoria Ltda is a company incorporated in Brasil and is operated unde=
r
> license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered=
 by
> The Republic of South Africa and is traded under license from Shape Blue =
Ltd.
> ShapeBlue is a registered trademark.
>=20
> Rohit Yadav
> Software Architect
>=20
> [cid:image003.png@01D122E8.F6EFE910]
>=20
>=20
> S: +44 20 3603 0540<tel:+442036030540> | M: +91 88 262 30892<tel:+4477707=
45036>
>=20
> rohit.yadav@shapeblue.com<mailto:steve.roles@shapeblue.com> |
> www.shapeblue.com<http://www.shapeblue.com/> |
> Twitter:@ShapeBlue<https://twitter.com/#!/shapeblue>
>=20
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
>=20
> Find out more about ShapeBlue and our range of CloudStack related service=
s
>=20
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-buil=
d//>
> CSForge =E2=80=93 rapid IaaS deployment framework<http://shapeblue.com/cs=
forge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software
> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-trai=
ning/>
>=20
> This email and any attachments to it may be confidential and are intended=
 solely
> for the use of the individual to whom it is addressed. Any views or opini=
ons
> expressed are solely those of the author and do not necessarily represent=
 those
> of Shape Blue Ltd or related companies. If you are not the intended recip=
ient
> of this email, you must neither take any action based upon its contents, =
nor
> copy or show it to anyone. Please contact the sender if you believe you h=
ave
> received this email in error. Shape Blue Ltd is a company incorporated in
> England & Wales. ShapeBlue Services India LLP is a company incorporated i=
n
> India and is operated under license from Shape Blue Ltd. Shape Blue Brasi=
l
> Consultoria Ltda is a company incorporated in Brasil and is operated unde=
r
> license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered=
 by
> The Republic of South Africa and is traded under license from Shape Blue =
Ltd.
> ShapeBlue is a registered trademark.