On Tue, Nov 6, 2018 at 6:06 PM Stephen Gallagher <***@redhat.com> wrote:
<snip>
Sorry about that.
Not surprising, especially when it comes to RHEL and its quite long life cycle.
Really not surprising. Not that I find SCLs dis-likeable, but they
require active involvement (like virtualenv and other similar things)
while the trend is to make things JustWork(tm) (off the top of my
head, "vagrant up", "docker run"...)
I missed that change, so that's one less peeve for me.
I sort-of put Fedora modules, Snaps and Flatpaks in the same bags and
at least for Snaps and Flatpaks it has always been a disaster for me
(only AppImage ever worked for me with that flavor of packaging).
Granted, it's not often that I need them so I haven't tested for a
while now, but it never ever worked for me.

Regarding modules, I superficially followed the early discussions
(things like the modulemd format, initial goals etc) but as soon as
the SIG was set up I lost track. I'm actually happy that the DNF
plugin materialized as a "dnf module [...]" sub-command, and I only
hope it won't break Fedora as I love it: First (and then stable for 13
months every 6 months).

Dridi
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel

But is that feedback relevant for Fedora, as opposed to RHEL?
Fedora is normally about having the latest version of everything available.
(That's what the "First" in the 4 'F's stands for.) So it rarely happens
that the default version is too old. And if the default version is too new
for the user, that is generally filed in the PEBKAC category. ;-)
That is a non-issue if everything uses the latest version, as it is supposed
to. And we never allowed SCLs in Fedora to begin with.
I don't see this being the case for Fedora users at all. A container for
every single application is something some large-scale deployments of RHEL
may be doing. But the average Fedora user is a home user with one or two
(desktop and notebook) computers running a single Fedora installation each.
They do not want to have to deal with the added complexity of containers,
and container technologies such as Flatpak or Snap that try to hide the
container from the user do not allow the user to upgrade the libraries in
the container and so often suffer from delayed or absent security updates
(because the whole container or the whole runtime has to be respun by the
maintainer to provide them, and then the user has to upgrade to the respun
image).

So I think that having things in Fedora that are not parallel-installable is
not a good idea, at all. There is a reason that the guideline on Conflicts
says to avoid it at all costs, and that compatibility libraries, in
particular, are NOT allowed to conflict at runtime (Conflicts are only
tolerated in the -devel packages, and discouraged even there).

It really worries me that we are allowing Fedora-provided packages to depend
on arbitrary branches of modular packages (modular Fedora packages can
already do that, Ursa Major would apparently extend that possibility even to
normal packages), because that can easily lead to Module Hell (RPM Hell
2.0), where application A requires module Foo version n whereas application
B requires module Foo version m (and obviously versions n and m of Foo are
not compatible). So the user is stuck being unable to install applications A
and B from our repository. That is something that should NEVER happen in a
consistent distribution. (Avoiding that is the main job of a distribution!)
Sure, the SCL hack with its non-FHS-compliance is a bad idea, too, but that
was never allowed in Fedora for a reason.

Kevin Kofler
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject

I think it only seems that way because there's a non-trivial number of
useful packages (e.g. Node.js) that can't be trivially installed in
parallel like Python can and which have regular,
backwards-incompatible jumps and multiple supported upstream versions.
This has always been a problem for Fedora; either users would hold
their systems back on unsupported Fedora releases to maintain older
versions, or else they'd stop using our packaged versions at all,
which devalues us. Modules gives us the ability to allow us to ship
whatever versions the maintainer is willing to maintain.

Now, one thing that I think hasn't been made clear in this thread is
this: Ursa Major is net-new functionality. With or without modules
today, you can only have in the buildroot the set of things that you
could get from DNF without being aware of module-specific commands.
Modules with a default stream Just Work for buildroots. The
improvement with Ursa Major is the ability to have a non-default
version of software available *only at build-time*. As a hypothetical
example, maybe python-sphinx has a major backwards-incompatible update
that becomes the default in Fedora 30. The package you maintain will
only build its docs with the older Sphinx. Without Ursa Major, you
basically have two choices: 1) Stop building the docs until upstream
catches up to Sphinx, or 2) Try to write a patch to support the new
version of Sphinx. With Ursa Major, you potentially gain 3)
BuildRequires the previous version of Sphinx for your package.
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.or

<snip>
If you take this compromise to an extreme then let's solve the Java
problem (or <insert similar stack here>) and grant an internet access
to builds. This way we can use vanilla maven/gradle/ivy to fetch
dependencies at build time and make sure that we can upgrade to the
latest versions of any leaf package.

For the Go case (and we can include Rust too) it is indeed very likely
that, because the model is almost exclusively static linking, a leaf
package will force the creation of dozens of devel packages only for
the sake of BuildRequir'ing them. What about changing guidelines to
allow such packages to have multiple SourceX archives and list their
dependencies as bundled(xxx) in the final RPM? I would argue that Go
and Rust leaf packages should already advertise their dependencies as
bundled because of their very nature.

This way adding a Go or Rust application could lessen the burden on
package maintainers and still provide the metadata needed to keep
track of what bundles what when an update is needed (CVE or other).
Ideally helped with tools to avoid doing everything by hand...

Again, I'm part of neither Java, Go or Rust SIGs and don't have time
to follow modules closely. Apologies if that has already been brought
up in the past. And I'm pretty sure that would hardly be a lead for
NodeJS applications but I'm far less familiar with the latter.

Dridi
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list

How does this scale to ecosystems that *aren't* statically linked,
though? Suppose I turn a C++ library, or set of libraries, into a
module, and ship incompatible versions in different streams (different
soname versions, say). Then suppose there are non-module dependencies
of this library in the distribution. What happens when someone tries
to switch the module to the non-default stream on their system?

It doesn't sound like Ursa Major can solve this problem. As far as I
understand, the only solution is to turn those dependencies into
modules too, and somehow keep the streams synchronized? Is there
planned tooling to do this?

It's all very well to add default streams of modules to the buildroot
automatically-- I think that makes sense, if it can be done in a way
that's transparent to end users and packagers. But-- unless I'm
missing something obvious-- this isn't enough, unless everything is
statically linked.

Ben Rosser
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedor

Please do not drag Go into this if you want to handwave Go away
problems. Yes modules will be useful in Go but only to blow away in EPEL
the rotten Go codebase RHEL ships.

But anyway, since you referred to GO.

Go is the perfect example of why bundling as a general approach does not
work and does not scale. In case you haven't noticed years of bundling
Go side has resulted in such a deep widespread rot Google is scrambling
to write a Go v2 language version that will force Go projects to version
and update.

All the people that claim bundling allows “using a slightly older
version” (implying it's a good safe maintained older version) are lying
through their teeth. Yes it allows doing that but that's not how people
use it. And it does not matter if you bundle via self-provided windows
DLLS, containers, flatpacks, modules or rhel versions.

Bundling basically allows reusing third party code blindly without any
form of audit or maintenance. You take third party code, you adapt your
code to its current API, and you forget about it.

You definitely *not* check it for security legal or other problems, you
definitely *not* check regularly if CVEs or updates have been released,
you definitely *not* try to maintain it yourself. Any bundler dev that
tells you otherwise lies. The average bundler dev will tell you “Look at
my wonderful up to date award-wining modern code, security problems? Ah,
that, not my code, I bundle it, not my problem”.

It is however a *huge* problem for the people on the receiving end of
the resulting software, static builds or not. Static builds do not add
missing new features or fix security holes. They just remove the shared
libs that could be used by the sysadmin use to track them. And since
malware authors do not bother identifying how software was compiled,
before attempting to exploit it, static builds do not hinder them the
slightest.

While trying to improve Go packaging in Fedora by myself I found serious
old security issues in first-class Go code. First-class as in benefiting
from huge publicised ongoing dev investments from major companies like
Google, Red Hat or Microsoft. It’s not hard, you do not even need to
write Go code, just take the bundled pile of components those bundle,
and read the upstream changelog of those components for later versions.
You will hit pearls like “emergency release because of *** CVE”. Or
“need to change the API to fix a race in auth token processing”. And the
answer of the projects that bundled a previous state of this code was
never “we have a problem” or “we have fixed it some other way” but “go
away, we haven’t planned to look or touch this code before <remote
future>”.

And, again, I’m no Go dev, or dev in general, I didn’t even try any form
of systematic audit, that was just the bits jumping to attention when I
hit API changes and had to look at the code history to try to figure
when they occurred. The day any bundled codebase is subjected to the
kind of herd security research java was some years ago and CPUs are
today sparks are going to fly all over the place.

And this is a natural phenomenon trivial to explain. Maintaining old
code versions is hard. Upstreams are not interested in supporting you.
You have to redo their work by yourself, while forbidding yourself API
changes (if you were ready to accept them you wouldn't have bundled in
the first place). And modern code is so deeply interdependent, freeze
one link in the dependency web and you get cascading effects all other
the place. You quickly end up maintaining old versions of every single
link in this web. If you try to do it seriously, you effectively have to
fork and maintain the whole codebase. IE all the no-support problems of
barebones free software, with none of the community friends help that
should come with it.

That's what RH tries to do for EL versions. It takes a *huge* dev
investment to do in a semi-secure no-new features way. And after a
decade, RH just dumps the result, because even with all those efforts,
it reaches terminal state and has no future.

There is only one way to maintain cheaply lots of software components
that call each other all over the place. That’s to standardise on the
latest stable release of each of them (and when upstream does not
release, the latest commit). And aggressively port everything to the
updates of those versions when they occur. If you are rich, maintain a
couple of those baselines, maximum. flatpackers do not say otherwise
with their frameworks (except I think they deeply underestimate the
required framework scope).

And sure, every once in a while, porting takes consequent effort, it can
not be done instantaneously, devs are mobilized elsewhere, etc. That's
when you use targeted compat packages, to organise the porting effort,
to push the bits already ported while keeping the ones not ready yet.
And to *trace* this exception, to remind yourself that if you do not fix
this you’re going to be in deep trouble and get in old code maintenance
hell.

Not porting is not an “optimization”. Not porting is pure unadulterated
technical debt. Porting to upstream API changes *is* cheaper
than freezing on an old version of upstream’s code you get to maintain
in upstream’s stead.

If you try to use modules as a general release mechanism, and not
temporary compat mechanisms, you *will* hit this old code maintenance
hell sooner than you think. Not a problem for RH, old code maintenance
is basically the reason people pay for RHEL, huge problem for Fedora.

Because bundling has never been a magic solution. It’s only a magic
solution when you are the average dev that does not want to maintain
other people’s code, nor adapt to this other people’s code changes.

One bonus of bundling is removal of any kind of nagging that would
incite the dev to take a look at what happens upstream, so he can sleep
soundly at night.

But the real bundling perk is that, because container and static build
introspection tech is immature, you get to *not* *maintain* the code you
ship to users, with bosses, security auditors, etc being none the wiser.
Force any bundler dev to actually maintain all the code he ships, and I
can assure you, his love affair with bundling will end at once.

Regards,

--
Nicolas Mailhot
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org

I might be missing something, but how do you want to enforce this ^^?
This sounds that although build succeeds, runtime might fail later,
because of missing dependencies. This might not happen for Go you used
as an example, because it is statically linked, but it must be the case
for other dynamically linked libraries.


V.
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/ar