1 |
Michael Palimaka posted on Mon, 23 Nov 2015 02:54:58 +1100 as excerpted: |
2 |
|
3 |
> On 22/11/15 05:51, Andrew Savchenko wrote: |
4 |
>> Hi, |
5 |
>> |
6 |
>> On Wed, 18 Nov 2015 07:01:21 -0500 Rich Freeman wrote: |
7 |
>>> On Wed, Nov 18, 2015 at 6:12 AM, Alexander Berntsen |
8 |
>>> <bernalex@g.o> wrote: |
9 |
>>>> When I do QA in projects I'm involved with (at least outside of |
10 |
>>>> Gentoo), we don't do it live on end-user systems. I'll leave the |
11 |
>>>> details as an exercise for the Gentoo developer. |
12 |
>>>> |
13 |
>>>> |
14 |
>>> People who run ~arch are not really end-users - they're contributors |
15 |
>>> who have volunteered to test packages. |
16 |
>> |
17 |
>> I strongly disagree with you. We do not use stable even at enterprise |
18 |
>> grade production systems and HPC setups. Stable is just too freaking |
19 |
>> old in order to be usable for our purposes, not to mention that it |
20 |
>> lacks many packages at all. We tried stable several times, it just |
21 |
>> freaks out admins (including myself) too badly or results in horrible |
22 |
>> mess of stable and unstable which is less stable that unstable setups. |
23 |
>> I do not use stable at workstations and personal setups as well. |
24 |
>> |
25 |
>> Nevertheless I consider stable useful as stabilization process gives |
26 |
>> more testing for packages (and some fixes are forward ported to |
27 |
>> unstable versions). Of course I understand that there are people using |
28 |
>> it and I try to support stable packages as well, but these versions are |
29 |
>> mostly a burden and I can't really understand stable users. |
30 |
> |
31 |
> Is the state of stable really that bad? I see this sentiment a lot. |
32 |
> |
33 |
> I run mostly-stable systems and rarely have an issue with old/missing |
34 |
> packages (but I'm involved in the maintenance of many of the packages I |
35 |
> use so I try to keep on top of stable requests). |
36 |
> |
37 |
> Are there particular areas that are lagging particularly, or is it just |
38 |
> in general? |
39 |
|
40 |
My own biggest concern about gentoo stable would be the timeliness of |
41 |
security updates, particularly if you're waiting for GLSAs to do them, as |
42 |
the GLSAs normally don't come out until all affected archs have |
43 |
stabilized, and that's often *much* longer than I'd be comfortable with |
44 |
running world-known-vulnerable versions. |
45 |
|
46 |
If you're not on a lagging arch, sync and update every couple weeks to |
47 |
once a month at am absolute minimum, and consistently use --deep on |
48 |
updates so you should always get available stable updates, then stable |
49 |
shouldn't be /that/ bad, security-wise, as you won't be waiting for those |
50 |
GLSAs after the lagging archs have stabilized, but will instead be |
51 |
picking up the packages, including --deep dependencies, as they do |
52 |
stabilize. |
53 |
|
54 |
Tho obviously ~arch with --deep updates are still likely to get you those |
55 |
security updates faster... but hopefully stable --deep updates will be |
56 |
fast /enough/. |
57 |
|
58 |
|
59 |
My #2 concern with stable wouldn't be so much the median or even mean age |
60 |
of packages, but the effectively age-unlimited "long-tail". I'm not sure |
61 |
what the worst cases are, age-wise, but I know of a number of bad to |
62 |
arguably "severely bad" "system-critical-package" examples. |
63 |
|
64 |
How long did baselayout-2 and openrc take to stabilize? IIRC it was at |
65 |
least two years, long after they were effectively stable in ~arch, with |
66 |
the holdup being primarily lack of the documentation necessary for stable |
67 |
users, both for initial installation (handbook updates) and upgraders |
68 |
(upgrade documentation). |
69 |
|
70 |
Similarly, it took stable portage a /very/ long time to get proper sets |
71 |
support, primarily due to political issues, I believe. |
72 |
|
73 |
And of course both glibc and gcc, particularly gcc, tend to take ages to |
74 |
make it to even unmasked ~arch, let alone stable, because for better or |
75 |
worse, the policy is basically that they can't be unmasked until all |
76 |
packages have a patched version that can work with them at the target |
77 |
unmask level (~arch or stable). So gcc in particular takes /ages/ to |
78 |
make it to even ~arch, because while most packages that normal users run |
79 |
will at least have bugs filed with patches available, it takes months for |
80 |
them to be worked into actual in-tree ~arch packages, so gcc can build |
81 |
them all and be unmasked to the same ~arch. Back when amd64 was newer |
82 |
and gcc updates generally had much more noticeable performance boosts |
83 |
with newer versions, I'd routinely unmask gcc and go fetching those |
84 |
patches from bugzilla when necessary, so I _know_, tho I don't do it so |
85 |
much these days, both due to having less time available, and because as a |
86 |
mature gcc arch, gcc updates don't bring the marked performance increases |
87 |
on amd64 that they used to, so it's less of a big deal and I often wait |
88 |
at least until there's noises on -dev about unmasking gcc to ~arch, |
89 |
before unmasking it and doing the rebuilds, here. |
90 |
|
91 |
Of course, it's that same process over again before ~arch gcc and glibc |
92 |
are stabilized, so that puts them _seriously_ behind for stable, even |
93 |
more so than they are for ~arch, which is bad enough, but I know why the |
94 |
policy is what it is and I don't disagree with it, even if it /does/ mean |
95 |
gentoo, which arguably depends at the user level far more on gcc than |
96 |
normal binary distros, actually ends up way behind them in terms of |
97 |
deployment even to ~arch. |
98 |
|
99 |
|
100 |
Those are my own two big reasons for preferring ~arch. Security is the |
101 |
big one, but provided users follow appropriate update procedures, it's at |
102 |
least manageable on stable. But the unlimited long tail on stabilization |
103 |
age is in some ways even more worrying, because while security is at |
104 |
least a limited and managed problem, as a user you really /don't/ have |
105 |
any limits on how far back into upstream ancient history the stable |
106 |
versions of packages you're running may be, and unless you actually check |
107 |
all your installed-package upstreams or at least compare against gentoo |
108 |
~arch versions for them all, you really /don't/ know which stable |
109 |
packages are furthest behind and thus which packages you're running are |
110 |
effectively out of upstream's support range and by how far. |
111 |
|
112 |
At least with an enterprise distro like Red Hat, yes, the packages are |
113 |
going to be out of date, but you know you still have /some/ sort of |
114 |
decent support available, because that's what the enterprise distros are |
115 |
in the business of actually /providing/ -- it's their primary feature and |
116 |
reason to exist. On Gentoo, not so much, not because maintainers won't |
117 |
do their honest best to support you on stable (they generally do), but |
118 |
because that's simply not Gentoo's primary product or reason for |
119 |
existence -- on Gentoo, that primary product and reason for existence is |
120 |
generally considered to be more the end user customizability -- |
121 |
otherwise, why not just be a binary distro and avoid all that hassle of |
122 |
end-user building in the first place. |
123 |
|
124 |
-- |
125 |
Duncan - List replies preferred. No HTML msgs. |
126 |
"Every nonfree program has a lord, a master -- |
127 |
and if you use the program, he is your master." Richard Stallman |