Just some points of information from my side; - We (bunch of people at ShapeBlue) took this initiative to provide packages as a convenience to users, there were existing 3rd party repositories at that time but we found they were poorly maintained, for example - packages and systemvmtemplates were not readily available after any release or after discovery of any security issues (such as ghost, poodle issues etc)
- We also wanted to list all the things new users would need on *a single page* such as where to get packages, systemvmtemplate and documentation, see http://shapeblue.com/packages. This page has all the necessary information about the packages such as what they are (upstream, main etc) and how they were built and other information. None of the other 3rd party repos did that at the time, and we kept our promise to maintain this for users and I’ve been doing this since 4.3/4.4 timeframe, including any security advisory that was needed via our blogs (for example, ghost/poodle systemvmtemplate updates etc). - We also wanted to share our custom patches which were simply packages built from official releases with additional/critical bug fixes, the value we produced for our customers here was the ability to get such packages and we thought it would be good to share them with users and community - We also wanted to share custom packages that were backported features on official releases and that were aimed to be future upgrade-able to upstream packages (for example, saml+quota on 4.5 release at http://packages.shapeblue.com/cloudstack/custom, and users can upgrade to 4.6/4.7 in future). A popular reason is that, users won’t really upgrade to major releases just because they are out, typically I’ve seen users upgrade once or twice a year, while some users really avoid upgrading at all and but would prefer upgrading to minor releases (a reason why we maintain old branches or do minor releases). - Information was always available here on whom to contact, sponsors of the repos etc: http://packages.shapeblue.com/README.txt and recently here: http://packages.shapeblue.com/cloudstack/README.txt. I’ve personally received several email regarding the repository and have been supporting users both privately if they would email me personally, or on users@ ML. - We also allow people to mirror our repos via rsync: (try rsync rsync://packages.shapeblue.com), here a mirror hosted by Lucian: http://mirrors.coreix.net/packages.shapeblue.com (Lucian mirrors several 3rd party repos including cloudstack.apt-get one), http://mirror.bhaisaab.org (this for example is faster for Asian geographies) - The ShapeBlue provided repo is too maintained by members of the community who happen to be affiliated with one company but that does not make it better or worse than others - The repository link was added about a year ago by myself on the old site (apache cms based system, before we moved to github/middleman/asf-site based publishing) as a convenience to users. The shapeblue.com/packages<http://shapeblue.com/packages> page, by default shows information on consuming the upstream packages/repo (noredist builds from official releases with no changes) and we don’t favour or recommend consuming from main or custom or any other repos. Regards. On 26-Nov-2015, at 3:17 PM, sebgoa <run...@gmail.com<mailto:run...@gmail.com>> wrote: On Nov 26, 2015, at 7:52 AM, John Burwell <john.burw...@shapeblue.com<mailto:john.burw...@shapeblue.com>> wrote: All, A conversation emerged on a PR [1] regarding how package repositories should listed on the downloads page [2]. This PR was prompted by a change on the page which removed reference to the ShapeBlue repositories. Let me touch base with Pierre-Luc to see what happened. It seems he removed it, but he is also the one who added it in the first place. The PR proposes listing all "3rd-Party Distributions" in a separate section in the same manner as the Apache Cassandra [3] project — clearly stating that the package repositories are not endorsed by the community. Objections were raised that the apt-get.eu<http://apt-get.eu/><http://apt-get.eu<http://apt-get.eu/>> repository is a “blessed” community repository, and therefore, not a third party repository. To the best of my knowledge (and my ability to search the mailing list archives), I can not find a vote that changed the project deliverables to include distribution packages or a particular repository for them. There was no vote on this, and we should not get down that path of arguing about whether apt-get.eu<http://apt-get.eu/> is blessed or not. Very early when CloudStack arrived at apache, Wido started hosting packages and has kept doing it, on his own time on his own budget. He has been kind enough to give access to the server to a few of us and can give access to people who request it. Hence this evolved as the "community repo". However since we only vote on source, we do not vote on packages and we should not say that this "community repo" is a blessed repo (there is a bit of grey area here). We have always said that this is a community maintained repo in contrary to an official ASF repo. Furthermore, the vote for 4.6.0 was only for the source deliverable — not distribution packages. As such the packages contained in the apt-get.eu<http://apt-get.eu/><http://apt-get.eu<http://apt-get.eu/>> repository are no more “blessed” or endorsed than any other packages distributed by other parties. They are not blessed (as voted on), but have grown organically to be maintained by several folks with different affiliations. In my opinion, favoring one 3rd-party repository over another is detrimental to the community. We should either list all maintained 3rd-party package repositories or we should list none at all. By maintained, I mean a repository that meets the following criteria: * All contained packages are built from project release tags * The packages contained in the repository are up-to-date with latest release tags The only variations in the packages across “maintained” repositories should be the plugins from the CloudStack source tree included in the package. In order to be listed on the downloads page, a repository must meet this definition and provide a brief description of the repository’s purpose. Some on the PR discussion asked about the purpose and composition of the packages in the ShapeBlue repository. The packages in the ShapeBlue repository are noredist builds of community release tags. Remembering when Rohit started this, (as he happened to be at my house couple times during that timeframe), the idea that triggered this was to start build packages for every commit, not just releases. As well as starting to offer packages that contained hot fixes. They contain no additional patches or changes. This repository was created to provide users with an convenient/familiar way to install the noredist build of a release. Finally, as I have stated elsewhere, I think the project should build distribution packages signed by the project and distributed from official package repositories. However, we must come to a consensus as community this change in deliverables and work out a variety of issues (e.g. supported platforms, repository management, signing, etc) to ensure that users receive well-tested, community voted packages. Finally, it seems like there will be a role for 3rd-party repositories now and in the future. Listing all available 3rd-party repos as I propose would be convenient for users, and ensure fairness to all contributors. Thanks, -John [1]: https://github.com/apache/cloudstack-www/pull/20 [2]: http://cloudstack.apache.org/downloads.html [3]: http://cassandra.apache.org/download/ All in all, as was mentioned by Pierre Luc on the PR, I do not see a problem with listing (on the www download page): * Official source * Community maintained repo (not voted but maintained by more than single vendor) * Third party repo In the rest of the documentation however, I don't think we should be using vendor specific URLs. The only risk with this is the user "confusion" question: - What is different between the repos ? - Which one should I use ? - I used a third party repo, I have a problem who can help me ? --- John Burwell (@john_burwell) VP of Software Engineering, ShapeBlue (571) 403-2411 | +44 20 3603 0542 http://www.shapeblue.com | @ShapeBlue 53 Chandos Place, Covent Garden, London, WC2N 4HS Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark. Rohit Yadav Software Architect [cid:image003.png@01D122E8.F6EFE910] S: +44 20 3603 0540<tel:+442036030540> | M: +91 88 262 30892<tel:+447770745036> rohit.ya...@shapeblue.com<mailto:steve.ro...@shapeblue.com> | www.shapeblue.com<http://www.shapeblue.com/> | Twitter:@ShapeBlue<https://twitter.com/#!/shapeblue> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
