[rdo-dev] openstack-newton rpm packages unavailable now

[Tobias Urdin]

I'm not talking about quality, security or basically nothing in between
either.
Just the plain annoyance when packages are removed from mirrors.

Lets just pretend for a while you're new at a job, and the most common
thing is you inherit old setups.

On that day you inherit an old OpenStack setup, on an old version, and
the next version
to upgrade does not exist in mirrors so you have no packages, and you
cannot jump any more forward
without a lot of work.

We all know and have agreed in the community surveys so many times that
upgrades are are hard.
Well just let me end it with, I don't envy a person being in that
situation...

Best regards

On 06/07/2018 10:38 AM, Matthias Runge wrote:
> On Thu, Jun 07, 2018 at 05:13:06AM +0000, Tobias Urdin wrote:
>> Just sliding in with my 2 cents which are off-topic to the discussion but...
>>
>> I've always found it fascinating why one would completely remove
>> packages from official mirrors when the version is not supported anymore.
>> There will probably always be somebody that might be looking for them,
>> I've always had that feeling with RPMs compared to Debs.
> Can you elaborate here on how RPMs are different to .debs?
>
> What do you expect, when you're installing these packages?
> Do you expect them to work? Do you expect, they won't create
> a security issue? Do you want to be able to use them in
> production? Is there a value in distributing something, which
> doesn't work (anymore)?
>
> What happens, if there is an issue, or a distributed rpm contains
> a CVE? In that case, we'd actively distribute vulnerable software.
> I always wondered, why someone would ask for software with
> a vulnerability (or more).
>
> This is to get expectations right[1]. It might look good at the
> beginning, but can turn bad quite quickly.
>
> Matthias
>
> [1] https://twitter.com/AwardsDarwin/status/1003934362403049472