]] Russell Stuart > On Thu, 2018-06-07 at 18:14 +0200, Tollef Fog Heen wrote: > > Packages does not imply automation (lots of people maintain machines > > by logging into each one and running apt by hand and $EDITOR on their > > configuration files; I suspect this applies to the majority of > > desktops and laptops by people on this list), and git repositories do > > not imply not-automation. Those are simply transport mechanisms for > > bits and the level of automation you use is not decided by git-vs- > > packages. > > No, distros are not "just transport mechanisms".
We are not disagreeing here; I was talking about packages vs git checkouts of services, not about distributions. > I'll drive the point home with yesterdays (literally yesterdays) > headline: "Three months later, a mass exploit of powerful Web servers > continues". The headline is referring to the 1000's of unpatched > Drupal servers out there, unpatched because patching required upgrading > to the latest version which is too hard. Wordpress sites using the > Debian package with unattended upgrades installed would likely have > been patched before news of the exploit made the headlines. Yes, this happens. I've also come across installations of Debian several releases out of date where everything came from packages, so using packages is not a panacea. Systems have to be maintained no matter where the bits on the system come from. [...] > I accept that's doesn't leave the Salsa team with much choice, but it > still leaves me scratching my head. Containers / VPS's / VM have been > a thing for years now. They solve this separation problem in a way > that reduces the workload for everyone. At the risk of extrapolating from a single data point, I think Alioth showed that using VMs does not fix this automatically. (I'm not picking on the Alioth maintainers, I used to be one of them. The job of maintaining your own separate infrastructure has a non-trivial cost.) -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
