On Sun, Feb 3, 2013 at 3:58 PM, Rohit Yadav <bhais...@apache.org> wrote: > On Sun, Feb 3, 2013 at 3:07 PM, David Nalley <da...@gnsa.us> wrote: > ... >> >> So EL6 has pygments 1.1.1 - you require 1.5, so in some ways it's >> worth than clint (clint is in EPEL, but no new version of pygments in >> EPEL/CentOS-Extras/CentOS-Plus) > > I want people to use pip to install the cli because it's the easiest > and because rpm/deb packages may have dependency issues like you > mentioned => may not work on all distros, what we can do is when > people install cloudstack-cli rpm or deb, it runs a script that > installs pip (if unavailable) and cloudmonkey. cloudmonkey is pure > python, so the rpm/deb can also ship bundling src tarballs of > cloudmonkey and its dependencies and install from it. Advise best way > of doing this?
I guess we won't be installing the CLI via RPMs at least for EL6. You are assuming that they would have internet access when installing - which is not a valid assumption. Honestly, the above idea makes me blanch. A package that reports as installed, and may or may not have installed - may have installed a compromised package (see rubygems.org compromise recently, kernel.org, and a number of other site compromises.), or might have installed packages I didn't know about is a Bad Idea (tm) The sysadmin doesn't know you are installing some of the dependencies, there is no record of those packages in the package manager, and there might potentially be conflicts with system packages, a security vulnerability in one of those dependencies wouldn't be caught on audit, etc etc. And I really don't intend for this to sound like a rant, but the one of the important benefits behind using packages and a package manager is that a sysadmin needs (and often is required to have by government regulations) a single source of truth about the software installed on a machine. Developers love things like Maven central, pypi, CPAN, and rubygems, and for good reason, they are fast, flexible, and make their life easy. To a sysadmin managing machines in production, they are anathema; they make system state difficult or impossible to determine, they make audits painful. In addition they make troubleshooting incredibly difficult. Do I have $foo installed - which version? Are there multiple copies of $foo installed on the system? Which one is actually being called/loaded? --David
