On 05/11/2016 02:41 PM, Jim Rollenhagen wrote: >> Installing from $language manager instead of distro packages, be it in >> containers or not, will almost always make you download random blobs >> from the Internet, which are of course changing over time without any >> notice, loosing the above 3 important features. > > Unless you pin the versions of your dependencies.
Pinning versions doesn't change the fact that you'll have to trust a large amount of providers, with some of the files stored in a single location on the Internet. Yes, you can add a cache, etc. but these are band-aids... > As for "random blobs from the internet changing over time without > notice", I think this is the same thing for distros. With the huge difference that in the case of distros, you're trusting a single well known entity, with known QA and all, vs a very large number of 3rd party which you have absolutely no relationship with, and which you may not be able to get in touch with. > On the > other side, you're trusting yourself to handle these things In practice, you wont make any effort to make sure what you're downloading comes from trusted sources only: it's just too difficult for no rewards. Cheers, Thomas Goirand (zigo) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
