Principia and formulas that use software from outside of Ubuntu

[Ahmed Kamal]

On 06/13/2011 05:21 PM, Clint Byrum wrote:
> I've received two formula contributions (thanks Ahmed and Serge) that
> pull in software from places other than the Ubuntu archive during the
> install hook.
>
> The first is this excellent jenkins formula:
>
> https://code.launchpad.net/~serge-hallyn/principia/oneiric/jenkins/trunk
>
> Which uses the Jenkins PPA.
>
> The second uses Drupal's 'drush' utility to download the latest drupal
> (sorry Ahmed I've misplaced the link to your formula).
>
> I think we should draw a line somewhere and only include formulas, by
> default, that use software from Ubuntu directly. This isn't for Ubuntu's
> benefit, but for the user's. They get security updates, software that
> is guaranteed to be free, etc. etc.
>
> But maybe there is a way we can include these formulas in an optional
> repository.  The utility of the drush formula in particular is that it
> deploys Drupal the way Upstream recommends, and does actually get you
> upstream's security fixes. Meanwhile, not including this at all means it
> may not get the integration testing with things like mysql and memcached.
>
> If we don't like the optional repository idea, another option is that
> we could possibly bless certain sources of non-Ubuntu software according
> to a few sets of rules.
>
> Blessing something makes me immediately jump to the fact that we aren't
> signing bzr commits to principia, which we should probably do since we
> don't have .changes or .dsc files.
>
> Thoughts?
>
Why can't we enforce a policy for the formula to run its own security 
updates (drush upc) would update core drupal and all modules. After all, 
as mentioned on another thread, an Ensemble user would need to trust it 
to manage servers in the right way (including updating it). Can't the 
decision to use apt-get or some other tool be a formula writer's decision?