Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retire debian packaging #5941

Open
vilmibm opened this issue Jul 14, 2022 · 10 comments
Open

Retire debian packaging #5941

vilmibm opened this issue Jul 14, 2022 · 10 comments
Labels
enhancement a request to improve CLI packaging

Comments

@vilmibm
Copy link
Contributor

vilmibm commented Jul 14, 2022
edited

As gh has appeared in Debian Sid, I think it would be prudent to sunset our Debian packaging. This packaging is a source of hosting headaches for us as well as a steady stream of issues (notably around key management).

As prerequisites for this, however, I suggest we:

  • Provide a simple, non-sudo install script that can detect architecture and download a binary release
  • Write up documentation on how to make use of the Sid package on Debian systems

I'm definitely interested in feedback on this. I'll leave needs-triage so it gets picked up in the next triage meeting.
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label Jul 14, 2022
@vilmibm vilmibm added the enhancement a request to improve CLI label Jul 14, 2022
@mislav
Copy link
Contributor

mislav commented Jul 14, 2022

Agreed that we could stop publishing our Debian package. However, we would still have to continue publishing our Ubuntu package, right? And we have to improve our GPG key management there anyway (for instance, what happens when the current key expires?). With that in mind, will we have tangible gains by dropping Debian?

  • Provide a simple, non-sudo install script that can detect architecture and download a binary release

That would be great. When that gh self-detects that it's out of date, however, how would we suggest to our users that they upgrade?

@vilmibm
Copy link
Contributor Author

vilmibm commented Jul 16, 2022
edited

However, we would still have to continue publishing our Ubuntu package, right

No, Ubuntu users can install packages from a Debian repository. As it is, we package a single debian repository and then just mark it as available for every extant Ubuntu distro. There's no actual difference in the package.

And we have to improve our GPG key management there anyway (for instance, what happens when the current key expires?).

We would still need to deal with that unless we drop RPM packaging also (which I am not opposed to but haven't checked to see if any major RPM distros package us)

When that gh self-detects that it's out of date, however, how would we suggest to our users that they upgrade?

We could suggest that they re-run the script (or offer to download an asset from a release ourselves). I recognize I'm essentially describing the upgrade command I've been opposed to in the past but my sentiments have changed.

@mislav
Copy link
Contributor

mislav commented Jul 20, 2022

However, we would still have to continue publishing our Ubuntu package, right

No, Ubuntu users can install packages from a Debian repository.

Will we then suggesting that Ubuntu users add the Debian Sid package repository to their sources to get access to gh? Is that kosher in Ubuntu world?

@samcoe samcoe removed the needs-triage needs to be reviewed label Jul 25, 2022
@vilmibm
Copy link
Contributor Author

vilmibm commented Aug 15, 2022

It's not uncommon to do that--also, I noticed that gh is already installable by default via apt in Ubuntu 22.04, so users on the current LTS wouldn't need to do anything to have gh be available. It's not a super recent version, but it's not ancient either.

@vilmibm vilmibm mentioned this issue Sep 2, 2022
Closed
@Xiphoseer
Copy link

Xiphoseer commented Sep 3, 2022
edited

From a user perspective, it would be nice to have the custom apt repository around until the stable release of Debian 12 (Bookworm), which should be sometime in the summer of next year, i.e. 2023.

Edit to clarify: bookworm is the first release that has a version of gh while stable is what the Debian Security Team tracks.

@kewisch
Copy link

kewisch commented Sep 3, 2022

Have you considered switching to container technology such as snaps? This could potentially solve a few issues around being distro and distro version agnostic.

@Spurlos
Copy link

Spurlos commented Sep 4, 2022

Snaps isn't a good solution in case one would like to use gh as a tool in a stripped down linux distro such as Alpine, for example in a CI\CD automation.

@elibarzilay
Copy link

Dumping it in favor of "whatever comes with Ubuntu" is a bad idea. It works fine for "stuff that is generally stable so I don't care about it's freshness", and for stuff that you do care about it's nice to have an option that is fresh, yet works via the system packages. Here's a relevant example.

(And just in case the irony in the above is missed: dumping it in favor of "whatever comes with Debian", is a worse idea. (And this is not criticizing Debian.))

@xroche
Copy link

xroche commented Sep 6, 2022

Provide a simple, non-sudo install script that can detect architecture and download a binary release

Replacing a common solution that has proven to be reliable (ie. apt with authenticated cryptographic key) by yet-another dedicated script is not enhancing the developer's experience I'm afraid. If every single tool comes with its own way of install, we are basically going back twenty years in time.

nmalaguti added a commit to nmalaguti/docker-github-actions-runner that referenced this issue Sep 6, 2022
@nmalaguti
Change gh cli install method to github releases
214b754 
The apt repo for the gh cli is broken due to an expired GPG key:
cli/cli#6175

They want to retire the debian packaging altogether
cli/cli#5941 and this is the recommended "long
term" solution
cli/cli#6175 (comment).

Adapted from cli/cli#6175 (comment)

Fixes myoung34#236
@nmalaguti nmalaguti mentioned this issue Sep 6, 2022
Merged
@mislav
Copy link
Contributor

mislav commented Sep 14, 2022
edited

so users on the current LTS wouldn't need to do anything to have gh be available. It's not a super recent version, but it's not ancient either.

I think that the main problem with telling our users to install from official Debian or Ubuntu repositories is that, with our 2-week release cadence, the version of gh that they will get from their distro will always be out of date from our own. Then, those users will come to us for advice on how to install the actual latest version to get access to the latest feature or the latest fix. At that point, we could give them an installer script that manually fetches a *.deb file from our Releases, but how would they continue upgrading after that? A manually installed deb cannot upgrade, and we don't have a self-upgrader in place either.

It feels to me that continuing to publish our package repository offers users the best experience to stay up-to-date, provided that we solve the long-term question of refreshing the GPG key when it expires in the future. For example, we might be able to distribute public key updates via a separate deb package. Related: #5894

Have you considered switching to container technology such as snaps?

Yes, and it's not great as it stands right now: casperdcl#7

@samcoe samcoe removed the linux label Sep 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement a request to improve CLI packaging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@mislav @vilmibm @elibarzilay @kewisch @Spurlos @xroche @samcoe @Xiphoseer @cliAutomation