[Pkg-owncloud-maintainers] I am using distro packages and I tell you why

[Jos Poortvliet]

On Monday 04 January 2016 12:58:02 Martin Steigerwald wrote:
> I am cc´ing owncloud maintainer team. I am also cc´ing upstream packaging 
> mailing list.
>  
> 
> Hi Jos!
> 
> First: A Happy New Year to you.

You too ;-)

> 
> I do not comment directly on your blog as that requires a Google account and I 
> deleted mine more than a year ago for various, I think, good reasons.
> 
> I refer to this blog:
> 
> Virtual Machine, Zip Files and Distribution Packages
> 04 January, 2016
> http://blog.jospoortvliet.com/2016/01/virtual-machine-zip-files-and.html
> 
> 
> In it you argue against using distro packages and criticize their update 
> policy, yet:
> 
> I started out with a Debian distro package and then wanted to switch to 
> upstream packages to upgrade from 7 some 8.0.1 something version back then.
> 
> It was a *complete* disaster. In the end I rolled everything back.
> 
> Why?

Because, as I explained in the blog, Debian tried to fit a square peg (web app) in a round hole (made for old style C apps). It didn't fit, they banged on it until it DID fit, and now everything is broken.

> The Debian provide package is actually a Debian package: It has the 
> configuration for Owncloud in /etc, where it belongs and everything else where 
> it belongs. It is what I call *properly* packaged. The Owncloud provided 
> package is just like a tar.gz inside a Debian package. It just unpacks 
> everything to /var/www/htdocs or something like that. It is no package that 
> even remotely meets my quality expection for a Debian package.

Ah, so you want executable code in /etc? Yes, config.php is executable. And why, because of some outdated policy? So you can backup your configuration, I bet. Not that that would work with ownCloud unless you also back up the database and other files - that's why every sane sysadmin would read our documentation. And if they do, they would FAIL to back up the debian configuration because it was moved. Welcome to the mess I am warning our users for!

It is 2016. This is a web app. Your conventions do not apply. Live with it or become irrelevant. I know, the choice for option 2 was already made. Sorry, this is a flame, but there is a reason for Docker's popularity: the distributions have failed to keep up.

> Additionally to that there was a bug with the encryption upgrade/migration in 
> that early 8.0.1 version as David told me. Although I was at least able to 
> make the encrypted files visible again, but still there were to many other 
> issues left to actually use the updated version.
> 
> 
> On Debconf 2015 I talked with David, one of the maintainers of the Debian 
> package, and he told me that is no good idea to switch between the two 
> different package sources. I obviously knew already by this time. He already 
> packaged newer Owncloud 
> 
> https://people.debian.org/~taffit/owncloud/
> 
> and expects these to work okay on a Jessie based system. I want to try it 
> soon. Maybe still during my holidays.
> 
> Yet even 8.0.10 is dated already I agree with that. 

Yes. You are making the life of users harder: we do not support upgrading while skipping a new release anyhow, so if the new Debian release ships with ownCloud 8.2 or 9.0 then users will be unable to upgrade! You're backing them in a corner by sticking to such an outdated version.

> I question the usefulness of your blog article nonetheless. Instead of 
> complaining about outdated distro packages and providing your own totally 
> incompatible ones that are merely like tar.gz´s inside a *.deb file, how about 
> trying to find a way to *work* together and thus stop splitting man power? How 
> about providing properly packaged packages that actually meet the Debian 
> Policy for them?

I didn't complain, I warn users not to use something which is very likely to get them in trouble. You already pointed out that you have trouble migrating from ownCloud Frankenstein to ownCloud Proper.

> Did you ever talk to the distro teams about this? Did you ever try to 
> cooperate with them before considering to write your blog post?

The thing is that collaboration has to be with every distribution on their own infrastructure. That doesn't work, obviously, for a upstream project. There's a beautiful solution for collaboration - github. And a github-for-packaging, the Open Build Service. But Debian ain't interested.

And honestly, I'm no packager so I don't want to dive deep into this or put work on it, just warn people not to use Debian packaged ownCloud.

This isn't OUR problem. This is a problem which has been getting clearer over the last 15 years, distributions have not done anything about it so Docker and the  GNOME and systemd team and others are now solving the problem for the distributions by making containers which have everything in them.

And I feel that that's a sad thing, because the distributions COULD have played a positive role, we're all joking about how insecure docker images tend to be for a reason.

> As far as I gathered from my talk with David, he doesn´t plan to provide 8.x 
> versions of Owncloud via Backports, understandably as its quite some 
> additional work to provide backports of all the necessary PHP dependencies. 
> There has been a backport of Owncloud once but it was a dependency mess. But 
> with united forces and some sanity when it comes to using newer PHP stuff, who 
> knows? Anyway, I am using the owncloud 7.0.12~dfsg-1 from unstable on my 
> server without any major issues.

As I said on the blog, if you don't care about the improvements in newer versions and have no issues, that's fine. At least it isn't insecure. You have about 2 more months to migrate to ownCloud 8.0...

> I think unified packaging would benefit everyone. Even if the 8.x packages 
> would not be in jessie-backports, you could provide them via your upstream 
> repository and if they are compatible with the Debian packaging, with some 
> coordination it would be possible to switch between them. I´d even be willing 
> to switch over and test them once I am confident that they won´t break my 
> existing setup in inventive ways by being totally incompatible.

I'm not the guy packaging and if our packager has time - that'd be cool. If you guys ran your own OBS, we could connect ours to it (long live federation of the web) and we'd have one convenient infrastructure where we could all collaborate on! How about that?

> Aside from that I do think it is vital for Owncloud to backport security 
> fixes. The Mozilla foundation learned this the hard way and now provides ESR 
> releases after having received their share of feedback for their update & 
> forget policy. But also they are still not supported long enough for Debian 
> and Debian has actually compromizes on their stable policy for Iceweasel for a 
> longer time already: At some point the packaging team updates Iceweasel to a 
> new ESR release. I am not sure whether something like that is needed for 
> Owncloud.

Ship a newer ownCloud. You should for the many reasons I wrote in the blog.

> So or so, Owncloud 7 just works for what I used it for and I´d prefer not to 
> have to upgrade to a major version every year or even shorter. Especially when 
> updates are not just smooth apt upgrade & update experiences, like they are 
> with Debian packaged Owncloud so far. Even the database upgrade is done on 
> package upgrade and I do not have to trigger the update from a webbrowser as 
> with Debian packaged wordpress for example. So from what I can see Debian´s 
> own Owncloud packages are very well done.

I'm sorry you don't want to upgrade regularly, but you'll have to. You can group it if you like, but there won't be any skipping of releases anyhow so your choice is to either spread it out and stay a bit close to upstream or to group your upgrades, do them once a year or so.

And yes, we don't let the upgrade run in the packages for a reason: it breaks on some systems. We're working on a new upgrade system to fix this, but that's a different story. And another reason not to use distribution packages.

> I understand the different policies and goals here. Upstream wants to move 
> fast, Debian wants to provide a stable experience for its users. Yet, just 
> barking at each other, ignoring each other or trying to drag users on the own 
> side is just is everything else but constructive. What about looking for 
> common ground and ways to cooperate instead – for the benefit of everyone 
> involved? Especially as Owncloud already has some longer supported versions 
> out there.

We can collaborate. On a platform made for collaboration. There is one (OBS), I haven't seen any others but hey, an alternative would be welcome, provided it is actually better of course. I don't think it is reasonable to expect upstream projects to work not only on packages for 15+ distributions but also do that with 8 different toolsets on 6 platforms.

Sorry to be harsh, but I've given up hope that the distributions will let anybody drag them kicking and screaming in 2016.

If we're to collaborate, I suggest the debian ownCloud packager(s) to start a conversation in debian about:
* adopting guidelines which work with web apps (when it comes to where to put files, splitting up what and where, and dealing with upgrade cycles faster than the distro)
* creating or adopting a open, transparent platform where distribution and upstream people can collaborate on creating packages.
* synchronizing policies, guidelines etcetera between distributions so the above can be cross-distribution and SAVE work rather than create it.

I'm not even asking to move to a single package format or anything like that, but I'm not holding my breath.

Sorry that you get such a rant back to a nice email. As openSUSE community manager I already got the smell of this mess so there's some frustration ;-)

Let's hope 2016 brings solutions. Even if that has to be in the form of containers...

> Thanks,

Cheers,
Jos

-- 
Disclaimer:
Everything I do and say is based on my view of the world today. I am not responsible for changes in the world, nor my view on it. Everything I say is meant in a positive and friendly way, unless explicitly stated otherwise.
find me on blog.jospoortvliet.com