On Tue, 2018-06-05 at 15:44 +0100, Ian Jackson wrote: > Packages are great for software which you can just install and use > without much fuss. That is often true for mature software. But for > services which are less mature, and more complex, and which have more > tentacles, the admin is likely to need to change things. This makes > using packages awkward. I think it's better to express the trade off in terms of consequences. - Using software packaged by a distro requires very little effort, which makes packaged software the ultimate sysadmin force multiplier. I know sysadmin's who exploit it to the extent they maintain literally 1000's of working boxes. - Taking a package straight from the developer gives you flexibility using software packaged simply can't provide or worse you can't use it at all because it's not packaged. The downside is you become a nurse maid for the box it's installed on. Nurse maid's are literally orders of magnitude less productive than one sysadmin maintaining an automated assembly line, so the end product had better be orders of magnitude more useful than the packaged version. To better understand the understand the consequences, compare Wordpress and Drupal. Both get their share of security issues. However only Wordpress is packaged for Debian, so a developer who uses Wordpress on a Debian box with unattended-upgrades installed some does not have to spend much time worrying about patching security issues. Reading Drupal developers comments on the net after the recent Drupal exploits gets you a common theme: "I've put together lots of customer sites and now they all need upgrading from a variety of versions, but no one will pay to do it and there is no way I have the time to do it myself." That's the consequence of choosing the wrong model for the task at hand. I expect they would argue they had a hard requirement for some Drupal feature, so the consequence of not using Drupal was the web site didn't happen at all. That's hard to swallow for a web site, but it's not so hard for Salsa given the state of its dependencies in Debian.
Description: This is a digitally signed message part