Em agosto 19, 2021 17:24 Kevin Morris via aur-general escreveu:
I do like Giancarlo's idea because it would really future proof a lot of Python libraries we use; we could just lock versions in requirements.txt. It just feels a bit odd that we're splitting between two different package managers, especially because we still have to depend on several arch packages working properly regardless of the Python libraries.
I think I'm going to in fact commit that in as a new route for Python dependencies within a few days; it'll at least remove a dependency on unmaintained packages in the future.
That being said, I'd still vouch for the package in question for [community], as it's quite useful and seems like it's been stable for long enough in upstream.
Regardless, thanks for taking a look and replying so quickly!
Regards, Kevin
We can (and should) aim to have everything needed to run the new aurweb on the repos. Using virtualenvs has the downside of needing to sometimes be re-created and that can cause issues (we had psycopg issues on archweb). Also, we need to make sure we don't allow the deps to stale on it. Still, it allows the rest of the machine to be updated often, and this is specially important on the aurweb. We have a huge attack surface, it is by far our most important service to secure, given the SSH and webgit accesses, and everything else. I don't want us to have to hold an important kernel, openssh, etc, upgrade, because it would also bring in a new version of the libraries which would break the code. We also had issues with the php aurweb in the past where a new PHP version would break it, preventing the whole machine from being updated. Regards, Giancarlo Razzolini