When should we ask charmers to put things in the archive instead of winging it?

Clint Byrum clint at ubuntu.com
Wed Feb 15 21:17:47 UTC 2012

Excerpts from Jorge O. Castro's message of Wed Feb 15 12:06:22 -0800 2012:
> This subject will likely lead to a bunch of opinions but I'd like to
> come to some consensus so we can have a default recommended best
> practice. We've talked about this at UDS and throughout the cycle, but
> we've got some experience now and I'd like to revisit this again.
> Right now we like charms that install things from the archive. In fact
> to become an "officially blessed" charm this is something we require.

Jorge, thanks for bringing this back up.. its an important topic.

Minor correction, we don't actually require that for lp:charms
inclusion. We just say that it needs to cryptographically verify the
source. The simplest way to do that is often to package something and put
it into a PPA. Having it in the archive carries the bonus that the second
requirement, that you have a way to update it for security problems,
is handled. But again, the PPA offers that since you can update your PPA.

> However, getting things packaged in Debian/Ubuntu for some upstream
> projects can be a monumental task. I can personally think of many
> upstreams where this is a large barrier. Fortunately, with a juju
> charm we can totally cheat and get around this pulling a tarball or
> right from VCS and deploying that way. Worst case instead of "juju
> deploy jorgesoft" I can do "juju deploy
> cs:~jorgesoft/oneiric/jorgesoft".
> Keeping in mind that the ability to remove deployment barriers (like
> lack of packages) is a strength of juju my proposal would be this:
> - If by writing a charm this enables users to use your software in a
> way that lets them inspect and contribute to your charm then yeah,
> have your charm deploy your pristine upstream source. It gets it out
> there.

Indeed. I think we can help them out quite a bit by also doing a minimal
effort to package their stuff during the charm review. If they haven't
taken the steps to verify their source cryptographically yet, rather
than suggesting that they use ch_file_get, perhaps we should try out
the minimal steps to package their source code up and put it in a PPA:

debuild binary

If that succeeds in producing a package of the upstream source, that is
most likely enough for a PPA. This way they don't have to go through the
hassle of figuring out how to cryptographically verify their tarballs.
It doesn't have to be an awesome package, but by getting one toe in the
water, they're one toe closer to having things highly repeatable and
independent of their website's uptime.

> - Medium to long term though, you'll want to be in the archive so you
> can inherit the benefits, at some point you'll switch your charm to
> just using the packages and (theoretically) the users wouldn't really
> notice/care.

Right, the above plan will help get them on track in some cases. And
if their software just doesn't work as a package in the step above, its
probably going to be a painful fight to get to this higher order anyway.

> - Some charms have switches that let you default to packages, but
> install from upstream if you want. I think we should not only
> encourage this, but promote it. At some point someone somewhere is
> going to want to do this anyway so by promoting having that feature in
> the charm it would at least have them in the store where they can be
> improved on by the community.

As we get "tags" for charms, this will be a good tag to have.. the
"flexible-source" tag.. where you can have archive or upstream.

> Currently we default to the stricter view that we want things in the
> archive and that charms pulling from a VCS or a PPA or whatever are
> sort of fine, but not ideal. We've had discussions about this for a
> while now but from talking to projects I am starting to come to
> believe that we should consider it okay if a project wants to just
> install from it's pristine source if they're willing to absolve our
> security and server teams of the responsibility. (I realize that last
> part is tricky.)

I'm ok with the way we are now. I don't think any of us are pounding on
peoples' heads that they need to get into the Ubuntu archive.. are we?

The main reason I want things in the archive is for the repeatability
and updates. With the archive, we know, add-unit isn't going to install a
new major revision.. but with some of the git pulling/tarball downloading
charms, it might. PPA's also solve that, and leave the source more in
control of the PPA owner, which might be a good thing.

So, bottom line, I think we should make it easier to get things into PPA's
for charm authors, and be encouraging to those who don't want that or
can't for some reason, and help them verify their source by other means.

More information about the Juju mailing list