On 6/23/15, 9:03 PM, "Eric Sorenson" <eric.soren...@puppetlabs.com> wrote:
> >> I suspect this confusion will hinder deployment the AIO packaging is >> certainly in the cons category for us. > >I really want to understand this, because it's a big deal. (My life goal >at >this point is to get as many people as possible upgraded to Puppet 4, so >anything that gets in the way of that is a problem!) There's been a bunch >of >different points in the thread, some of them about the numbering and some >about the packaging itself; what would reduce the confusion for you? It’s actually interesting, because it came up at a PUG meeting here locally, and I definitely got a more negative than positive vibe from the AIO packaging, as well as my own feelings. In the end, it comes down to the potential security implications for some of my clients. On the enterprise front, you provide an installer, which you have a contractual obligation to support. When security issues arise with say the bundled ruby, you are going to quickly act on them. On the open source side, I’m less sure about that obligation. You guys have been spectacular at keeping up with security patches, but when you decide to deprecate 4.1, you’ll have people with it installed 2 years from now. You now have a much larger software ecosystem to worry about vulnerabilities in. Basically, it puts the open source users in a position where they have to rely on puppetlabs for patches to upstream projects such as the bundled ruby or openssl on the agent side. A related concern comes with companies with infosec departments that have to bless things. I get Ruby 2.1.0 blessed, but then the bundled ruby gets updated to 2.1.1. Now there are a lot more compliance hoops to jump through. In the end, a lot of it comes down to it “not being the unix way”. I have many of the same arguments and dislikes against systemd. I have no issue with the AIO installer, and in fact might use it on some older centos/rhel5 hosts where getting modern ruby is hard. My heartburn comes from it being the only REAL way to install these packages starting with version 4. I’d much prefer you also support a more traditional metapackage approach for the operating systems that support it. Finally, the AIO package creation is a lot less repeatable. If I need to modify 3.7 locally, I modify it, change the spec to add a local component and build a new RPM. With this AIO, I need to grab the packaging repo and spend some amount of time trying to figure out how to navigate it. Hope that helps. Jason -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/D1AF95DF.60216%25raistlin%40tacorp.net. For more options, visit https://groups.google.com/d/optout.
