On 24/03/15 14:25, Justin Cormack wrote:
I think it might help to divide it into two problems:
1. I want to build piece of software x for rumprun. It needs a bunch
of libraries which are not included, so I need to build them, and have
a nice way to do updates when openssl has a security hole.
2. I want to distribute a bunch of prebuilt software (with config
files potentially) for people to install. At this point there are no
dependency management issues, but there are other things eg signing,
other metadata.
For 2, I was wondering about the Rocket App Container spec
https://github.com/appc/spec/blob/master/SPEC.md - it is essentially
signed tarfiles and a metadata spec. Obviously there are some
constraints (only one executable in the package), but it is mostly
applicable.
Strictly speaking, so far I was thinking only about "1", so instead of
diving, that would be *extending* to two problems ;)
But, good catch, "2" is definitely something we should consider down the
line. Not sure aligning ourselves with containers here is a good way to
avoid market confusion, though... After spending years of listening to
"oh it allows you to run kernel file systems in userspace? yea that's
FUSE", I became very paranoid about avoid potential for confusion with
widely known terms.
Notably, the solutions for "1" and "2" are mostly independent, so we can
even solve "2" to some extent before we have "1" figured out. In fact,
once mato finishes the RAMP stack work, we could do a trial run for "2".
Ideally, "2" would also solve "I have these images deployed, there's
been a vulnerability, give me new binaries for the same stuff".
