I have been searching for a way to obtain a timestamp for when a package was either released for general use or possibly when first loaded on a local repository. Something in either Shell or Python would be ideal, but I'm open to other options at this point. I know packages support a changelog, but it looks like not all packages include a release date.
Thanks!
The answer depends on what exactly you are looking for, and it's not clear from the question. Before reproducible builds were introduced, the date a package was built could be retrieved from the raw ar members such as:
ar tv pkgname_version_arch.deb
If you are looking for the date the package got accepted/uploaded into a specific repository, then the answer will depend on what repository and the software used to manage it. For Debian you can get the information from UDD, from the debian-devel-changes mailing list for the maintainer uploads (but not the buildd uploads, or from package tracker, other derivatives and distributions might have different interfaces or none at all. For other private repositories perhaps there are publicly accessible logs available.
As you mention the changelog can be used for when the source package was prepared, but that might be wildly different to when it got built or even uploaded.
Related
I'm having the same issue as nuget feeds and promotions, eight years later!
In this case I'm talking more generically; we're using ProGet as our package manager, and have nugets, universal packages, and even some docker containers to consider in the package promotion process.
One of the ideas is to have several Nuget feeds; a ci feed where every successful integration publishes a package, a qa feed that you only publish versions you want qa to test and then a release feed, where you copy only packages from the qa feed that they successfully tested.
So, say we have a build in the ci feed that works, it's version 1.2.3-ci-xyz. We want to promote that to the QA feed, without a rebuild, and re-package it as 1.2.3-rc-1. That package passes QA and is ready to be promoted into the prod feed, with no rebuild, and ship to production. It should ship as 1.2.3. (right?)
The question is, if we're not doing any rebuilds, the package binaries will still have the version 1.2.3-ci-xyz. That'll show up anywhere a version is displayed or queried in the app.
And that's where I get stuck. What's the proper pattern here? Does it matter what version is shipped, as long as we know what it is?
meaning, we promote 1.2.3-ci-xyz from lower feeds to higher feeds, without repackaging with different versions?
Wouldn't it be incorrect for package 1.2.3 to include a binary 1.2.3-ci-xyz?
do we always build with the next 3-digit number, and forget about the ci/rc suffix?
I'll share this answer from our internal support channel :)
This is how we (Inedo) typically handle this in our libraries. The short answer is:
We set the Assembly Version to Major.Minor.Patch
We set the Assembly File Version to Major.Minor.Patch.Build
We set the Package version to Major.Minor.Patch-ci.Build (we then repackage to Major.Minor.Patch-rc.Build then to Major.Minor.Patch)
We also use the Assemble Informational Version to display a friendly version (ex: Version 6.0.0 (Build 36-v6))
This allows us to repackage without rebuilding. We also will detect these pre-release dependencies during our product builds and prevent them from being released to production. You can see our ProGet v6 build as an example: ProGet 6.0.0 Build 36.
The longer answer I feel is answered pretty well in our blog post Best Practices for Versioning NuGet Packages in the Enterprise.
Our internal Nexus repository has an artifact that we wish we never published, but unfortunately we did. And various environments installed it.
I'd like to delete it from the repository so that nobody downloads the erroneous release again, but for the people who already downloaded & installed that artifact, it seems a bit deceptive to pretend the release never happened. Is there a way to "archive" or "disable" an artifact so that it still is preserved somewhere for analysis or archeological purposes, but won't be installed by someone pulling artifacts for installation?
There isn't a feature in NXRM for disabling access to individual artifacts. This is a bit hacky but you could achieve it by
Creating a new hosted repository (either raw format or the same
format that you are currently using)
Marking that repository as "offline"
Moving the artifact to the archived repository.
Step 3 is the problematic part: If you are an NXRM PRO user on a recent version there are REST calls you can use for moving components. See here for more details https://help.sonatype.com/repomanager3/staging#Staging-RESTEndpoints
If you are an OSS user you will likely have to republish the same artifact to the archive repository and then delete it from the original repository.
(Note the above assumes you are using NXRM3 - if you are using NXRM2 take a look at https://blog.sonatype.com/2010/04/nexus-tip-moving-artifacts-between-nexus-repositories/)
I need to do some research if/how to use backend code from some already available Java web service in some newly created Windows 10 UWP app. The Java code deals with parsing special binary data, depends on things like configuration files and some additional 3rd party libs like Apache Commons*. The current ideas are either providing some native DLL to be bundled with the UWP-app or providing a stand-alone one publishing some high level web services which the UWP-app consumes.
I came across iKVM and CodenameOne and read that iKVM itself is not maintained anymore, but CodenameOne forked a version for their own purposes. At various places authors say that that version of iKVM is managed in the official GitHub repo of CodenameOne, but I'm unable to find it there. The only thing I find are some helper implementations and formerly committed DLLs in the repo-history and such, but nothing which looks like the complete forked project.
Any idea where I can find this? Obviously I'm missing something...
I would simply like to have a look at what CodenameOne needed to change, how much effort they put into keeping up with Java 8, what of those efforts went back to the original project etc.
Thanks!
Sorry about that. I was under the wrong impression that the code resided in the Ports/UWP directory but apparently it isn't there. I'm probably the person who wrote that in those places...
We added a link to the actual repo there for reference. It's here: https://github.com/shannah/cn1-ikvm-uwp
If a Chef recipe (or any of it's cookbook dependencies) use the package resource without specifying a version, then the latest version of the package is installed. If you want to control and test exactly what you are installing, then you must always supply the package version. What can you do when the cookbooks that you depend on do not take the same precautions?
See for example the default recipe in the ark cookbook. If this recipe is used on a production server, it could install packages that have not been tested. This is just one example (with over 5m downloads) so I am wondering how people are getting around this problem.
What can you do when the cookbooks that you depend on do not take the same precautions?
I don't think there is a simple answer. This is basically "the Chef way" ...
(Actually, I would suggest that hard-wiring package versions could do more harm than good. One of the good things about using a (good) distribution's package repo is that they regularly release updates with patches for security issues and bugs. But if you wired fixed package versions into your recipes or roles/nodes or something, you would prevent any such patches from propagating to your system.)
However, if it is critical to you that package versions are stable then maybe ...
Clone and hack the cookbooks in question to use specific versions. (Actually, you probably need to do this anyway, to avoid being bitten by unstable cookbooks!)
Use a distro (such as RHEL or its "clones") that values long-term stability, and only pushes out package updates that are "really important".
Create your own private mirror of the distro's package repos with only the "good" versions of the critical packages in it.
Modify Chef so that the package resources pick/install specified versions by default. (I don't imagine this would be easy. But if you did come up with a good solution at this level, it would be a pretty useful addition to Chef! IMO.)
UPDATE
Actually, there is a way to do this for (at least) Debian-based systems; see the apt cookbook and in particular the references to "pinning".
Or with yum, you could "lock" particular versions using "yum versionlock ..." as described here: https://www.zulius.com/how-to/yum-install-specific-package-version/
UPDATE - 2
Another possible trick would be to "inject" a version attribute into the "unsafe" package resources. Something like this:
# first, include_recipe a recipe that specifies 'package "foo"' without
# a version attribute
# then ...
r = resources("package[foo]")
r.variables['version'] = "1.2.3"
With a little ingenuity, one could create a "package version lock" recipe that pulled the versions from a databag, and dealt with missing resource exceptions and version attributes that were actually provided. But I don't know if this is "A Good Idea" (tm).
Chef's package resource uses the package manager of the node's operating system (like apt, yum, etc). These tools always install the most recent version that is available through the repositories. That's why chef's package resource also installs this version.
What the ark cookbook is that it downloads the source code and then compiles it - obvious that you can specify the version to install (through the passed URL).
So it depends on your actual need. If you want to install the version that is available through the distro's or your own package repo, then it's totally fine (and that's what most cookbooks do). If you want to compile everything from source (where you usually have the option to specify the version, the coverage of chef cookbooks supporting this is lower.
Personally, I'd suggest that you set up an own apt/yum/whatever repo for the software for which have specific version requirements.
In short : I'm not managing this.
In a more complete answer:
All distro/release go throught a validation phase before releasing new packages, I'm confident over it and it helps me keep in sync with security fixes.
As far as I know all package managers takes care of not upgrading a package in a breaking way if it is a dependencies of a package installed manually, again you have to trust the package maintainer about this.
i.e.: the package ressource without version won't update make nor gcc if it is a dependency of one package you installed with a fixed version.
For exemple under ubuntu, if you set the nagios package to manual, it will never try to update the libc package over a breaking change, and so I could break other package isntallation as dependencies are not satisfied.
If you're absolutely concerned about it, you have some choices:
Rewrite each pacakge ressource to use fixed version of packages
Fork any cookbook to fix thooses issues (you can write a foodcritic rule to help you detect package ressources without specific versions)
Have your own repos, stable and testing, and move packages inside stable repo once tested and use testing repo on your staging/QA environement.
The 3 is the most conservative as you choose what is in the repo in the stable branch and it won't change magically. The drawback is security fixes you'll have to manage.
Hope it would help.
We had the same issue in our cookbook. So we decided to use data bags.
Data bags can be easily changed, for example:
knife data bag from file my_data_bag host1
OR
knife data bag edit my_data_bag host1
Your recipe will be able to see the specified version from the data bag using the code like this:
my_bag = data_bag_item('my_data_bag', 'host1')
Chef::Log.info("You have changed the version to: #{my_bag['version']}")
package 'java' do
version my_bag['version']
action :install
end
So finally you don't need to modify Cookbook or Recipe. All you need is to pass the version to the data bag.
I started a Dart project and now I need some functionality that is not available in the Dart API Reference. I was advised to use a package from pub.dartlang.org and now I am browsing through the pub.
Previous experience with Javascript libraries tell me that quality and support can vary wildly between libraries. Therefore I am a bit reluctant to use packages from pub. How would I know which package has a good quality, and whether a package will be updated when there are breaking changes in Dart?
Therefore I would like to know:
Is there a way to know which packages on pub.dartlang.org are safe to choose for a long-term project?
Some questions related to this:
Will packages where "Dart team" is the author be supported for a long time?
Should I prefer packages where the uploaders have #google.com in their email address?
Is there a list of google-supported packages? (I suppose polymer would be on it)
Is google currently monitoring the quality of the pub packages?
Kind regards,
Hendrik Jan van Meerveld
You are correct that the quality of packages can vary in Pub or any other pack repo. Here are a few things you could use to evaluate the quality of the packages:
Is the package actively maintained?
How many active committers does it have?
How many people have starred or forked it on GitHub?
How much use do you think it is getting? Are there questions about it on StackOverflow or other mailing lists?
To answer your specific questions:
You can reasonably expect "Dart team" packages to be supported.
There isn't a list of official Google supported packages. Just look for packages supported by the Dart team if you're looking for packages created by members of the Dart project.
The Dart project doesn't currently have any way of ranking Pub packages.
You can see a list of Dart-team developed packages on the Dart API page. Any package there not prefixed with dart is a library that has been developed and supported by the Dart team. I would definitely prefer a library developed by the Dart Team or someone from Google.
If the source repo for the package is available publicly (e.g. on GitHub), you can view the frequency of commits, and responsiveness of the author to issues/pull requests. For instance, you can easily tell that StageXL is a well maintained library by taking a look at their GitHub: 550+ commits, new commits within the last couple of weeks, accepts code from other contributors, and has almost 50 closed issues.
Bob Nystrom has talked about a ranking mechanism for pub in the past (he recently posted some ranking results that you can see here). Once a ranking system is in place, you will be able to better choose between two XML libraries for instance.