On Mon, May 23, 2022 at 6:17 PM Stephen Smoogen <ssmoogen@xxxxxxxxxx> wrote: > > Applications in Fedora Infrastructure need to be deployed in an auditable and repeatable way. These methods need to allow someone to determine which software was installed, when it was installed, and what it was meant to be done (example: rpms or podman build scripts for containers). The goal is to be kind to our future selves at 2 am who need to figure out why a critical application is broken and how to rebuild and redeploy as needed. I like this approach. I don't think there's real value in requiring that everything be packaged as an RPM, but we do want to make sure we can re-deploy correctly. What are the implications for pinning requirements here? Should we require that each application require specific versions of dependencies? I don't love that idea, but I love even less the idea of a stealthy change to a package turning our infrastructure into a cryptocurrency rig. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
