[Openstack-operators] [openstack-dev] [TripleO] consistency vs packages in TripleO

Clint Byrum clint at fewbar.com
Fri Feb 14 05:13:17 UTC 2014

Excerpts from matt's message of 2014-02-13 19:32:42 -0800:
> For many people in enterprise git / pypi deployments are non starters.  We
> use real package management systems with real signed packages for a bunch
> of policy and architectural reasons.  So anyone who is under the mistaken
> impression that pypi especially will be a usable deployment model in the
> real world let me disabuse you of that notion right now.

Hi Matt. I totally understand where you are coming from. Trusting that
you're pulling the actual code you think you're pulling is important.

However, consider some things:

* pip now requires SSL with hostname verification, so there is a trust
  loop now, albeit global PKI instead of distro-specific web of trust.

* We clone git from https://git.openstack.org/. If you don't trust
  that, you may not want to run OpenStack at all because that is what
  developers are expected to use.

* We use packages too. Lots of them. We just don't use them where they
  complicate our goal of running and testing with upstream tools.

You may also have missed that we're aiming at distribution of images,
not packages, and one reason for that is that we want to be able to
verify the image has not been tampered with between passing automated
tests and deploying to production.

While I'm eager to hear your specific objections to this model, I hope
that we can agree, this is not your average hipster django dev pip
install from github. ;)

More information about the OpenStack-operators mailing list