| 1 |
Michael Palimaka posted on Mon, 23 Nov 2015 02:54:58 +1100 as excerpted: |
| 2 |
|
| 3 |
> On 22/11/15 05:51, Andrew Savchenko wrote: |
| 4 |
>> Hi, |
| 5 |
>> |
| 6 |
>> On Wed, 18 Nov 2015 07:01:21 -0500 Rich Freeman wrote: |
| 7 |
>>> On Wed, Nov 18, 2015 at 6:12 AM, Alexander Berntsen |
| 8 |
>>> <bernalex@g.o> wrote: |
| 9 |
>>>> When I do QA in projects I'm involved with (at least outside of |
| 10 |
>>>> Gentoo), we don't do it live on end-user systems. I'll leave the |
| 11 |
>>>> details as an exercise for the Gentoo developer. |
| 12 |
>>>> |
| 13 |
>>>> |
| 14 |
>>> People who run ~arch are not really end-users - they're contributors |
| 15 |
>>> who have volunteered to test packages. |
| 16 |
>> |
| 17 |
>> I strongly disagree with you. We do not use stable even at enterprise |
| 18 |
>> grade production systems and HPC setups. Stable is just too freaking |
| 19 |
>> old in order to be usable for our purposes, not to mention that it |
| 20 |
>> lacks many packages at all. We tried stable several times, it just |
| 21 |
>> freaks out admins (including myself) too badly or results in horrible |
| 22 |
>> mess of stable and unstable which is less stable that unstable setups. |
| 23 |
>> I do not use stable at workstations and personal setups as well. |
| 24 |
>> |
| 25 |
>> Nevertheless I consider stable useful as stabilization process gives |
| 26 |
>> more testing for packages (and some fixes are forward ported to |
| 27 |
>> unstable versions). Of course I understand that there are people using |
| 28 |
>> it and I try to support stable packages as well, but these versions are |
| 29 |
>> mostly a burden and I can't really understand stable users. |
| 30 |
> |
| 31 |
> Is the state of stable really that bad? I see this sentiment a lot. |
| 32 |
> |
| 33 |
> I run mostly-stable systems and rarely have an issue with old/missing |
| 34 |
> packages (but I'm involved in the maintenance of many of the packages I |
| 35 |
> use so I try to keep on top of stable requests). |
| 36 |
> |
| 37 |
> Are there particular areas that are lagging particularly, or is it just |
| 38 |
> in general? |
| 39 |
|
| 40 |
My own biggest concern about gentoo stable would be the timeliness of |
| 41 |
security updates, particularly if you're waiting for GLSAs to do them, as |
| 42 |
the GLSAs normally don't come out until all affected archs have |
| 43 |
stabilized, and that's often *much* longer than I'd be comfortable with |
| 44 |
running world-known-vulnerable versions. |
| 45 |
|
| 46 |
If you're not on a lagging arch, sync and update every couple weeks to |
| 47 |
once a month at am absolute minimum, and consistently use --deep on |
| 48 |
updates so you should always get available stable updates, then stable |
| 49 |
shouldn't be /that/ bad, security-wise, as you won't be waiting for those |
| 50 |
GLSAs after the lagging archs have stabilized, but will instead be |
| 51 |
picking up the packages, including --deep dependencies, as they do |
| 52 |
stabilize. |
| 53 |
|
| 54 |
Tho obviously ~arch with --deep updates are still likely to get you those |
| 55 |
security updates faster... but hopefully stable --deep updates will be |
| 56 |
fast /enough/. |
| 57 |
|
| 58 |
|
| 59 |
My #2 concern with stable wouldn't be so much the median or even mean age |
| 60 |
of packages, but the effectively age-unlimited "long-tail". I'm not sure |
| 61 |
what the worst cases are, age-wise, but I know of a number of bad to |
| 62 |
arguably "severely bad" "system-critical-package" examples. |
| 63 |
|
| 64 |
How long did baselayout-2 and openrc take to stabilize? IIRC it was at |
| 65 |
least two years, long after they were effectively stable in ~arch, with |
| 66 |
the holdup being primarily lack of the documentation necessary for stable |
| 67 |
users, both for initial installation (handbook updates) and upgraders |
| 68 |
(upgrade documentation). |
| 69 |
|
| 70 |
Similarly, it took stable portage a /very/ long time to get proper sets |
| 71 |
support, primarily due to political issues, I believe. |
| 72 |
|
| 73 |
And of course both glibc and gcc, particularly gcc, tend to take ages to |
| 74 |
make it to even unmasked ~arch, let alone stable, because for better or |
| 75 |
worse, the policy is basically that they can't be unmasked until all |
| 76 |
packages have a patched version that can work with them at the target |
| 77 |
unmask level (~arch or stable). So gcc in particular takes /ages/ to |
| 78 |
make it to even ~arch, because while most packages that normal users run |
| 79 |
will at least have bugs filed with patches available, it takes months for |
| 80 |
them to be worked into actual in-tree ~arch packages, so gcc can build |
| 81 |
them all and be unmasked to the same ~arch. Back when amd64 was newer |
| 82 |
and gcc updates generally had much more noticeable performance boosts |
| 83 |
with newer versions, I'd routinely unmask gcc and go fetching those |
| 84 |
patches from bugzilla when necessary, so I _know_, tho I don't do it so |
| 85 |
much these days, both due to having less time available, and because as a |
| 86 |
mature gcc arch, gcc updates don't bring the marked performance increases |
| 87 |
on amd64 that they used to, so it's less of a big deal and I often wait |
| 88 |
at least until there's noises on -dev about unmasking gcc to ~arch, |
| 89 |
before unmasking it and doing the rebuilds, here. |
| 90 |
|
| 91 |
Of course, it's that same process over again before ~arch gcc and glibc |
| 92 |
are stabilized, so that puts them _seriously_ behind for stable, even |
| 93 |
more so than they are for ~arch, which is bad enough, but I know why the |
| 94 |
policy is what it is and I don't disagree with it, even if it /does/ mean |
| 95 |
gentoo, which arguably depends at the user level far more on gcc than |
| 96 |
normal binary distros, actually ends up way behind them in terms of |
| 97 |
deployment even to ~arch. |
| 98 |
|
| 99 |
|
| 100 |
Those are my own two big reasons for preferring ~arch. Security is the |
| 101 |
big one, but provided users follow appropriate update procedures, it's at |
| 102 |
least manageable on stable. But the unlimited long tail on stabilization |
| 103 |
age is in some ways even more worrying, because while security is at |
| 104 |
least a limited and managed problem, as a user you really /don't/ have |
| 105 |
any limits on how far back into upstream ancient history the stable |
| 106 |
versions of packages you're running may be, and unless you actually check |
| 107 |
all your installed-package upstreams or at least compare against gentoo |
| 108 |
~arch versions for them all, you really /don't/ know which stable |
| 109 |
packages are furthest behind and thus which packages you're running are |
| 110 |
effectively out of upstream's support range and by how far. |
| 111 |
|
| 112 |
At least with an enterprise distro like Red Hat, yes, the packages are |
| 113 |
going to be out of date, but you know you still have /some/ sort of |
| 114 |
decent support available, because that's what the enterprise distros are |
| 115 |
in the business of actually /providing/ -- it's their primary feature and |
| 116 |
reason to exist. On Gentoo, not so much, not because maintainers won't |
| 117 |
do their honest best to support you on stable (they generally do), but |
| 118 |
because that's simply not Gentoo's primary product or reason for |
| 119 |
existence -- on Gentoo, that primary product and reason for existence is |
| 120 |
generally considered to be more the end user customizability -- |
| 121 |
otherwise, why not just be a binary distro and avoid all that hassle of |
| 122 |
end-user building in the first place. |
| 123 |
|
| 124 |
-- |
| 125 |
Duncan - List replies preferred. No HTML msgs. |
| 126 |
"Every nonfree program has a lord, a master -- |
| 127 |
and if you use the program, he is your master." Richard Stallman |
Archives