Open Stack

On 05/11/2016 02:41 PM, Jim Rollenhagen wrote:
>> Installing from $language manager instead of distro packages, be it in
>> containers or not, will almost always make you download random blobs
>> from the Internet, which are of course changing over time without any
>> notice, loosing the above 3 important features.
> 
> Unless you pin the versions of your dependencies.

Pinning versions doesn't change the fact that you'll have to trust a
large amount of providers, with some of the files stored in a single
location on the Internet. Yes, you can add a cache, etc. but these are
band-aids...

> As for "random blobs from the internet changing over time without
> notice", I think this is the same thing for distros.

With the huge difference that in the case of distros, you're trusting a
single well known entity, with known QA and all, vs a very large number
of 3rd party which you have absolutely no relationship with, and which
you may not be able to get in touch with.

> On the
> other side, you're trusting yourself to handle these things

In practice, you wont make any effort to make sure what you're
downloading comes from trusted sources only: it's just too difficult for
no rewards.

Cheers,

Thomas Goirand (zigo)