incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <bhais...@apache.org>
Subject Re: [DISCUSS] Packaging in 4.1
Date Mon, 04 Feb 2013 01:14:21 GMT
On Mon, Feb 4, 2013 at 4:41 AM, David Nalley <david@gnsa.us> wrote:
> On Sun, Feb 3, 2013 at 3:58 PM, Rohit Yadav <bhaisaab@apache.org> wrote:
>> On Sun, Feb 3, 2013 at 3:07 PM, David Nalley <david@gnsa.us> wrote:
>> ...
>>>
>>> So EL6 has pygments 1.1.1 - you require 1.5, so in some ways it's
>>> worth than clint (clint is in EPEL, but no new version of pygments in
>>> EPEL/CentOS-Extras/CentOS-Plus)
>>
>> I want people to use pip to install the cli because it's the easiest
>> and because rpm/deb packages may have dependency issues like you
>> mentioned => may not work on all distros, what we can do is when
>> people install cloudstack-cli rpm or deb, it runs a script that
>> installs pip (if unavailable) and cloudmonkey. cloudmonkey is pure
>> python, so the rpm/deb can also ship bundling src tarballs of
>> cloudmonkey and its dependencies and install from it. Advise best way
>> of doing this?
>
> I guess we won't be installing the CLI via RPMs at least for EL6.
>
> You are assuming that they would have internet access when installing
> - which is not a valid assumption.
>
> Honestly, the above idea makes me blanch. A package that reports as
> installed, and may or may not have installed - may have installed a
> compromised package (see rubygems.org compromise recently, kernel.org,
> and a number of other site compromises.), or might have installed
> packages I didn't know about is a Bad Idea (tm) The sysadmin doesn't
> know you are installing some of the dependencies, there is no record
> of those packages in the package manager, and there might potentially
> be conflicts with system packages, a security vulnerability in one of
> those dependencies wouldn't be caught on audit, etc etc.

/facepalm\, it's just a problem of packaging. The package can include
cli or any other artifact's dependencies, so in case of cli, you
bundle both pygments and prettytable in cli's rpm/deb. AFAIK all of
them are pure python so easily installable. The cool people can use
pip to install.

>
> And I really don't intend for this to sound like a rant, but the one
> of the important benefits behind using packages and a package manager
> is that a sysadmin needs (and often is required to have by government
> regulations) a single source of truth about the software installed on
> a machine.

No, it's not a rant, I understand.

> Developers love things like Maven central, pypi, CPAN, and
> rubygems, and for good reason, they are fast, flexible, and make their
> life easy. To a sysadmin managing machines in production, they are
> anathema; they make system state difficult or impossible to determine,
> they make audits painful.

I just assumed the sysadmin who would install CloudStack, cli and
whatnot won't be stupid, at the same time I want his life to be less
miserable.

> In addition they make troubleshooting
> incredibly difficult. Do I have $foo installed - which version? Are
> there multiple copies of $foo installed on the system? Which one is
> actually being called/loaded?

Alright, but I'm talking only about the cli, since most users, admins
included, would want it to run on their machines, the installation
should be easiest, that's why I said they can use pip, so it works on
their windows, osx, linux, bsd boxes and that's why it's pure python
(written that way).

Regards.
>
> --David

Mime
View raw message