On Wed, Jun 24, 2015 at 12:26 AM, Jason Slagle <raist...@tacorp.net> wrote: > > It’s actually interesting, because it came up at a PUG meeting here > locally, and I definitely got a more negative than positive vibe from the > AIO packaging, as well as my own feelings. >
I just want to step in on this thread to highlight that there are a lot of people, including me, that think the AIO approach is good and offers more advantages than disadvantages. I do too have clients and the ones that I've had the opportunity to talk about Puppet 4, the AIO packaging is overall welcomed. > On the open source side, I’m less sure about that obligation. You guys > have been spectacular at keeping up with security patches, but when you > decide to deprecate 4.1, you’ll have people with it installed 2 years from > now. You now have a much larger software ecosystem to worry about > vulnerabilities in. Basically, it puts the open source users in a > position where they have to rely on puppetlabs for patches to upstream > projects such as the bundled ruby or openssl on the agent side. > Open source users will always rely on a third party for security patches anyway. Every single vendor, named CentOS, Debian and Ubuntu drops the ball from time to time. Go and look around about the OpenSSL problems Debian had, and the long period CentOS users were completely in the dark for security patches. You have to choose: best effort ou guarantee. I think this trade-off is well understood, isn't it? > A related concern comes with companies with infosec departments that have > to bless things. I get Ruby 2.1.0 blessed, but then the bundled ruby gets > updated to 2.1.1. Now there are a lot more compliance hoops to jump > through. > One of the tradeoffs of using the AIO is to be able to move faster, to get more done, instead of having to be limited by the least common denominator. Companies with infosec departments that have to bless things, IMHO, that is their problem. Don't want to fight the bureaucracy? Buy the support and outsource the responsibility. > In the end, a lot of it comes down to it “not being the unix way”. I have > many of the same arguments and dislikes against systemd. I have no issue > with the AIO installer, and in fact might use it on some older > centos/rhel5 hosts where getting modern ruby is hard. My heartburn comes > from it being the only REAL way to install these packages starting with > version 4. I’d much prefer you also support a more traditional > metapackage approach for the operating systems that support it. > The Unix way? Come on. Lets get rid of packaging then. I'm 34 and the more senior people I've spoken told me that back in the old days they downloaded the source code and compile it, on every machine, with that nostalgia look in the eyes. I think it is counter productive to stick with the metapackage approach when there is going be a burden to maintain some operating systems in one way, and some in another way. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAK6Yst%3DxfOqKpKa5DfpV52FkPR%3D8ohHNWdPcGp%2Bcbsj2TffjNQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
