[Pkg-puppet-devel] Vendoring core modules in puppet-agent
Jérôme Charaoui
jerome at riseup.net
Thu Feb 8 15:58:15 GMT 2024
Le 2024-02-08 à 10 h 50, Antoine Beaupré a écrit :
> On 2024-02-08 10:45:20, Louis-Philippe Véronneau wrote:
>> Hi,
>>
>> Vendoring is frowned upon in Debian for a number of (valid) reasons and
>> should IMO be the last option when everything else has failed.
>>
>> I don't see why these packages shouldn't stay their own packages and be
>> marked a dependencies for puppet-agent if that's the behavior we're
>> looking for, especially since they are separate projects on Github.
>
> I'm not sure we're talking about vendoring the way Debian usually frowns
> upon it: those are packages specifically designed, by upstream, to be
> managed inside the Puppet agent. They are shipped with the agent in the
> upstream package, and I think it would make sense to do so here as well.
Right, I think another element to take into account is those modules are
mature and not being very actively developped.
And since they're included in puppetlab's puppet-agent, any security
issues in one of the modules for example, would lead to a new release of
puppet-agent being made by puppetlabs.
-- Jérôme
More information about the Pkg-puppet-devel
mailing list