One could ague puppetlabs is better off sharing the package specs for included rubies so people can keep them current themselves, security updates directly from ruby vs having to wait for downstream backports and vendor repos sounds better to me long term. Not only can puppetlabs push updates quicker but the community can embrace them in the puppetworld without having to wait for impact analysis to their "Shared" dependencies.
-byron On Sunday, December 14, 2014 3:08:21 PM UTC-6, David Schmitt wrote: > > > > The usual argument at this point in the discussion is that AIO packages > of any vendor will - by definition - have worse security support than > the system versions. > > People who have to certify/verify/validate/audit all binaries that are > running on a given system will have additional high costs from bundled > components that may render using those packages infeasible. > > Adding more binaries to a system will mean that they will require > additional non-dedup-able hardware resources. > > > Independently of those technical arguments, "freeing puppetlabs from the > ruby hell" will be read by free software proponents(sic!) as > "unwillingness to support the diversity of the free software ecosystem". > See also http://islinuxaboutchoice.com/ and so on. My own opinion is > split between the economical realities of vendors and the fact that > everything outside Debian main (+ backports) is not *Debian*. > > > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/3a8c1e2b-ba74-48df-9f70-77d659c90402%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
