Web lists-archives.com

Re: concerns about Salsa

On Tue, 2018-06-05 at 15:44 +0100, Ian Jackson wrote:
> Packages are great for software which you can just install and use
> without much fuss.  That is often true for mature software.  But for
> services which are less mature, and more complex, and which have more
> tentacles, the admin is likely to need to change things.  This makes
> using packages awkward.

I think it's better to express the trade off in terms of consequences.

- Using software packaged by a distro requires very little effort,
  which makes packaged software the ultimate sysadmin force
  multiplier.  I know sysadmin's who exploit it to the extent they
  maintain literally 1000's of working boxes.

- Taking a package straight from the developer gives you flexibility
  using software packaged simply can't provide or worse you can't use
  it at all because it's not packaged.  The downside is you become a
  nurse maid for the box it's installed on.  Nurse maid's are literally
  orders of magnitude less productive than one sysadmin maintaining an
  automated assembly line, so the end product had better be orders of
  magnitude more useful than the packaged version.

To better understand the understand the consequences, compare Wordpress
and Drupal.  Both get their share of security issues.  However only
Wordpress is packaged for Debian, so a developer who uses Wordpress on
a Debian box with unattended-upgrades installed some does not have to
spend much time worrying about patching security issues.  Reading
Drupal developers comments on the net after the recent Drupal exploits
gets you a common theme: "I've put together lots of customer sites and
now they all need upgrading from a variety of versions, but no one will
pay to do it and there is no way I have the time to do it myself."

That's the consequence of choosing the wrong model for the task at
hand.  I expect they would argue they had a hard requirement for some
Drupal feature, so the consequence of not using Drupal was the web site
didn't happen at all.   That's hard to swallow for a web site, but it's
not so hard for Salsa given the state of its dependencies in Debian.

Attachment: signature.asc
Description: This is a digitally signed message part