Open Stack

On Wed, May 11, 2016 at 02:01:30AM +0200, Thomas Goirand wrote:
> On 05/10/2016 04:19 PM, Rayson Ho wrote:
> > I mentioned in earlier replies but I may as well mention it again: a
> > package manager gives you no advantage in a language toolchain like Go
> 
> Oh... You mean just like in Python where we have pip, Perl where we have
> CPAN, PHP where we have PEAR, or JavaScript where we have
> gulp/npm/grunt/you-name-it?
> 
> Each and every language think it's "special" and that no distro should
> be involved. Of course, the reality is different.
> 
> > IMO, the best use case of not using a package manager is when deploying
> > into containers
> > -- would you prefer to just drop a static binary of your
> > Go code, or you would rather install "apt-get" into a container image,
> 
> For anything serious, the later, of course! The former is only for
> hackers, calling themselves devs, who don't know about opts, playing and
> thinking they're the cool guys. This fashion of "we're in a container,
> so it's ok to do everything dirty" will soon be regarded by everyone as
> one big mistake.

Well, I tend to think this is a matter of opinion. Please, let's not
imply folks involved in this discussion are not "real developers"
because they have a different opinion.

> If you're using containers the wrong way, you loose:
> 1/ Version accountability
> 2/ Security audit
> 3/ Build reproducibility
> 
> Installing from $language manager instead of distro packages, be it in
> containers or not, will almost always make you download random blobs
> from the Internet, which are of course changing over time without any
> notice, loosing the above 3 important features.

Unless you pin the versions of your dependencies.

As for "random blobs from the internet changing over time without
notice", I think this is the same thing for distros. On one side,
you're trusting your distro to handle these things for you (and
downloading random blobs that may change from your distro repo). On the
other side, you're trusting yourself to handle these things (and
downloading random blobs that may change from PyPI (or whatever
$language manager).

So it's a matter of trusting $distro community versus trusting yourself
and/or your team.

If your team is competent enough to manage these things, I'd agree that
compiling a Go application and dropping it in a container is a totally
valid thing to do.

// jim

> 
> Cheers,
> 
> Thomas Goirand (zigo)
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev