As a long-time coder and tinkerer, who views computers as deterministic if we understand them properly, modern tooling feels wrong to me.
- Python expects code to be distributed in a form where it has to contact PyPI for dependencies. (You can get around this—like the
awscliinstaller—but I never did figure out how they build that.) - Python expects code to be distributed in a form where the installation process executes arbitrary code. This transitively happens with all dependencies. 🐝
composer install(usually) expects to be able to fetch code from GitHub. Running it (non-interactively and with--no-dev, of course) as part of deployment makes deployment depend on the internet working.- Containerfile
ADDandCOPYwill happily take URLs as sources, including URLs that are intended to be mutable, like GitHub/latest/release artifact URLs. Projects may recommend using such URLs. curl … | sudo shalso deeply connects the internet to the process, and treats the script itself as ephemera, discarding it as the process completes. If the script makes its own internet connections, the problem with preserving the canonical source is multiplied.
Quite aside from “the internet connection has to be up,” the referenced URLs must keep working over time. A Containerfile built as recommended for the docker-php-extension-installer inherently requires the up-to-date source of code to remain at the github.com site, and under the mlocati user.
Building reliability and reproducibility into the process is left up to the user. Those features can only be included if the thought, “what if…?” crosses someone’s mind.
However, saving remote resources into a local build context protects them from loss, but requires the maintainer of that build to update those resources. Probably manually. If it can’t be changed out from under me the next time I run podman build, then it also isn’t getting updates to follow changes in the base image. It takes some discipline to track where these things come from, and sometimes, how to reproduce them. For instance, when GPG keys for an Ubuntu PPA needed to be converted to binary before use, it wasn’t enough to leave only the URL written down.
Thus, it’s more work, but the result is stable, and that’s important to me.
No comments:
Post a Comment