1 |
Chris Gianelloni wrote: |
2 |
|
3 |
> I have a script which already does several things: |
4 |
> |
5 |
> #1. grabs "best_visible" for stable on each arch |
6 |
> #2. repeat for each SLOT |
7 |
> #3. purge unnecessary files from FILESDIR |
8 |
> #4. strip to only "stable" profiles from profiles.desc |
9 |
> #5. purge unnecessary USE from use.local.desc and use.desc |
10 |
> #6. strip unused eclasses |
11 |
> #7. regenerate Manifest (via ebuild $foo digest) |
12 |
> |
13 |
> I had also planned on it doing the following, but they haven't been |
14 |
> implemented just yet: |
15 |
> |
16 |
> - strip all USE flags that aren't used from use.mask (per-profile) |
17 |
> - strip all packages that aren't available from package.mask |
18 |
> (per-profile) |
19 |
> |
20 |
> What this gives us is a *much* smaller tree, as it only includes stable |
21 |
> packages/versions. |
22 |
> |
23 |
The smaller tree sounds great in terms of maintenance for the volunteers who |
24 |
maintain the release. |
25 |
|
26 |
>> Obviously maintaining that list is some work; predominantly watching |
27 |
>> the announcements from the security team and fixing up dependencies, |
28 |
>> and masking out new packages (for what that's worth). It could be |
29 |
>> regenerated on some or all releases, or perhaps on a yearly basis. It |
30 |
>> would also mean that versions listed there cannot be removed from the |
31 |
>> tree (until they're bumped in the list). |
32 |
> |
33 |
> Well, the simpler approach was to simply copy over the newer, secure |
34 |
> ebuilds, and any required dependencies, into the release tree. There'd |
35 |
> be no need to update mask files and such this way. It would also be |
36 |
> generated with the releases, automatically. |
37 |
> |
38 |
<snip> .. The one |
39 |
> disadvantage to my design is it needs infra. It needs it's own |
40 |
> repository and rsync. |
41 |
> |
42 |
What does that entail? Would a co-located server suffice? |
43 |
|
44 |
(If it gets popular, I'd imagine those mirroring current rsyncs etc would |
45 |
want to mirror the releases as well.) |
46 |
|
47 |
> Basically, it makes the system act a bit more like some other |
48 |
> development models. We end up with the following: |
49 |
> |
50 |
> rsync://rsync.gentoo.org/gentoo-portage (this is equivalent to -current) |
51 |
> rsync://rsync.gentoo.org/2007.0-release (this is the release tree) |
52 |
> |
53 |
> Now, the release trees are non-moving. The 2007.0-release tree is |
54 |
> *always* the 2007.0-release tree for as long as we decide to support it. |
55 |
> Likely, this support period would begin as a single release and get |
56 |
> extended as volunteers came around to support it. New releases get |
57 |
> their own tree. |
58 |
> |
59 |
Well count me in as a volunteer to help set this up and maintain an x86 |
60 |
release. I'm a pretty good coder if that helps. |
61 |
|
62 |
> I also started writing a tool to "upgrade" the distribution. The tool |
63 |
> reads pre and post scripts for the upgrade, and performs the necessary |
64 |
> steps. Basically, a user can "dist-upgrade 2007.1" and the system |
65 |
> would: |
66 |
> |
67 |
> - switch to the "2007.1" tree and "emerge --sync" |
68 |
> - perform all "pre" steps from 2007.1 |
69 |
> - update world + revdep-rebuild + whatever else is necessary |
70 |
> - perform all "post" steps |
71 |
> |
72 |
> With this, there would be a special "version" called "current" which |
73 |
> would put the user on the "gentoo-portage" tree, AKA the tree we all |
74 |
> know and love/loathe. Release trees wouldn't have "arch" and "~arch" as |
75 |
> everything would be stable there. Testing would be done in the main |
76 |
> tree. This, in essence, gives us "testing", "release candidate" and |
77 |
> "stable" environments, with the release trees being stable, and the |
78 |
> current tree becoming test/release candidate. Anything marked stable in |
79 |
> the current tree would be a candidate for stable in the next release |
80 |
> tree. |
81 |
> |
82 |
This sounds like a much more professional proposition to put to an IT exec. |
83 |
|
84 |
> Users who want to use the current portage tree get what they want. |
85 |
> Users who want a more stable tree get what they want. Basically, |
86 |
> everyone (hopefully) is happy, or at least as happy as we can feasibly |
87 |
> make them. |
88 |
> |
89 |
This all sounds great. Respect for the work you've already put in. |
90 |
|
91 |
other post: |
92 |
> With the release trees, essentially only those |
93 |
> interested in supporting the tree are required to work on it. The tree |
94 |
> is created entirely by scripts and is tested before it's released on |
95 |
> the public. |
96 |
|
97 |
Having it automated is definitely what I wanted to know about in the |
98 |
original discussion. |
99 |
|
100 |
>From your post we need to add: |
101 |
> - strip all USE flags that aren't used from use.mask (per-profile) |
102 |
> - strip all packages that aren't available from package.mask |
103 |
> (per-profile) |
104 |
|
105 |
What language is the script implemented in? |
106 |
|
107 |
Wrt security updates, is it possible to tie into GLSAs so that we could |
108 |
automate updating packages that need it? By updating I mean adding the |
109 |
ebuilds and any dependencies (or dependants that might require updating.) |
110 |
|
111 |
Caleb Cushing wrote: |
112 |
> .. isn't it possible only to sync certain |
113 |
> parts of the tree using excludes. maybe some additional functionality |
114 |
> saying only sync package X for updates. |
115 |
|
116 |
Would that help in terms of having say, up to date GUI packages, or is it |
117 |
just easier to use overlays? |
118 |
|
119 |
Chris Gianelloni wrote: |
120 |
|
121 |
> No version changes on any packages, except those which are necessary due |
122 |
> to a security violation, or a vulnerable package's dependencies. |
123 |
> |
124 |
I could imagine a situation where a dependant package (ie one using the |
125 |
package updated) would also require an update. It'd be rare though, so I |
126 |
guess it wouldn't need automating. |
127 |
|
128 |
> Now, I don't know if it is the best approach, but it is the best one |
129 |
> that I could come up with on my own that allows for a slow-moving tree |
130 |
> with higher QA done on it (as the release trees are what we use for |
131 |
> releases, they undergo an enormous amount of testing, in the default |
132 |
> configuration, of course) and minimal changes. |
133 |
> |
134 |
It sounds like the right approach to me. There's all the custom approach of |
135 |
gentoo, eg overlays, so users can always stay up to date with anything they |
136 |
particularly want. |
137 |
|
138 |
> Something that would be useful would be for package maintainers that |
139 |
> wish to participate to perform further testing and validation on |
140 |
> packages in the release snapshot prior to its final freeze. This would |
141 |
> give us even more eyes on the tree and hopefully provide a much higher |
142 |
> quality snapshot once we're done. |
143 |
|
144 |
It sounds like it'd also make the releases in general have better QA. What |
145 |
do package/ herd maintainers think? |
146 |
|
147 |
-- |
148 |
gentoo-dev@g.o mailing list |