[CentOS] Why is yum not liked by some?

Thu Sep 8 15:38:12 UTC 2005
Les Mikesell <lesmikesell at gmail.com>

On Thu, 2005-09-08 at 09:05, Karanbir Singh wrote:
> > 
> > Local to what?  The production boxes are distributed but have good
> > internet connectivity.  The test box only has so-so internet
> 
> local to your organisation. If you do have good connectivity, forking 
> out for an extra role machine should not be an issue. I fail to see how 
> bandwidth has anything to do with yum. no matter what package manager 
> you use, you are going to need to pull down the same packages....
> 
> Any system admin who needs such solid control on the package tree's will 
> host his/her own repository of packages, sometimes even a bunch ( eg. 
> based on intended system role ) and run an automated delivery mechanism.

But you wouldn't need that if the package manager could actually manage
packages.

> Also, are you saying that you admin a large number of machines, and dont 
> actually test the packages before they are rolled out ?

I provide the QA people with a machine with the latest updates and when
they say everything works I try to duplicate those updates into the
production boxes.  As you imply, this is something nearly everyone
has to do, so I find it surprising that the package management tools
don't give you a simple way to do it.  Also note that there are as
many risks in waiting for testing and QA approval as not and you
have to balance them.  For example, I'd probably roll out any available
update to openssh to internet exposed boxes as fast as possible since
that is extremely unlikely to affect our services and not doing it
invites a compromise.  Besides, as the steady stream of security and
bugfix updates to a supposedly stable OS distribution demonstrates,
there will always be issues that you don't find until you have something
in real-world production. So, I consider the 'real' test to be the
first small set of of production boxes that are updated after QA's
blessing and watch for problems before rolling out to the rest.

> > connectivity.   Isn't having to do that an admission that yum
> > doesn't really do a good job of managing the packages you
> > want on a box?
> 
> there is yumlib, now available. Feel free to hack away.... A lot of the 
> 'home grown' scripts that I have seen out there are screen-scrapers.... 
> which by default, are locked into the specific version/setup of yum 
> anyway. Its stupid to think that those sort of scripts are ever going to 
> maintain functionality across versions.

There is a basic concept missing to provide what you get by making
a snapshot of the repository.  Consider the repository as a database
and then consider whether making a snapshot of an entire database
at every operation is the best way to get repeatable operations.
What it needs is for the repository index (only) to have the snapshot
operation after changes are complete so that no additions are considered
until the set is complete and you know all dependencies are available
and by keeping prior indexes and being able to specify something to
identify them in the update command you could precisely repeat the
set of changes that happened on a previous date.  This presents a
small problem with mirror operations since you have to ensure that
all other files are present before the index is updated.

> > Actually I think some invocation of rpm -q will give a list
> > of installed packages that you can feed to yum to install on
> 
> you mean something like
> 
> rpm -qp *.rpm --qf "%{name}.%{arch} "
> 
> which should give you a list of packages... easy to feed that to a yum 
> install process...

I think that might be a reasonable starting point. But it doesn't solve
the problem of attempting updates as a repository is being modified. 
You have to work around that even if you do your own snapshot copies.

> > another machine, but it is not at all intuitive.  Don't the
> > people writing package management tools actually manage any
> > machines or understand that keeping them identical is
> > desirable?
> 
> If a couple of hundred machines counts as 'machines', then yes - the 
> people I know -  working on these package management tools do indeed 
> manage machines.

Do they do it by working around the package management tool's problems
with huge repository snapshots?

> perhaps, this conversation needs to move to the yum-devel list, where 
> you can then recommend ways to make yum more user-friendly.

I've mentioned it on the RPM list and a yum developer responded, but I
don't think I got across how desirable it would be to have yum
operations be repeatable and reliable in spite of the inconsistencies
during repository updates.  I think I need a better way to explain the
similarity to a CVS repository and the equivalent need to be able to
extract any consistent set of revisions.

-- 
   Les Mikesell
     lesmikesell at gmail.com