-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VirtualGL 3.0 beta1 and later missing from SourceForge #225
Comments
It appears as if the issue has been resolved, but I am still open to suggestions for other file hosting solutions, bearing in mind the constraints I mention above. |
Note that I don't use RPM distros, but I am making the suggestion anyways. The above can be done with GitHub if we use a GitHub repository as a YUM repository, and point it to GitHub release URLs. A matter of using REST APIs over SSH in this case. Some references to automatically build RPMs on GitHub (you don't need to use this though): Technically, it should be possible to (optionally) build assets using GitHub actions, then use https://github.com/softprops/action-gh-release to upload the asset to a release, then point the YUM repository to the release URL formats. The release URLs have a fixed format. SourceForge releases also redirect anyways, just like GitHub. Even if you opt to build on your own packages then upload, GitHub provides an API to automatically upload assets to a Draft Release (which is not yet visible to the outside, the draft release can be created automatically and then be published automatically too). https://docs.github.com/en/rest/releases/assets Then, an example of a YUM repository hosted on GitHub (the URL of a release on GitHub has nothing fundamentally in difference to Sourceforge - both redirect, so it can be pointed to a URL format like you do in SourceForge): https://github.com/riboseinc/yum (I do not recommend uploading rpms on git repositories like this though) The below is an example of how the GitHub API works (Btw, please don't mix ESR releases on the main releases since the below GitHub API approach breaks because of that):
I do things like this for downloading from GitHub, but for VirtualGL, the yum repository can be set up on a separate repository on GitHub and can be point to the URL like: Why am I suggesting this? Because I (also) used Sourceforge since when nobody knew about GitHub, and I experienced why Sourceforge shouldn't be the single point of failure so many times since then (especially for a production project like this!). GitHub might break their whole website from time to time, but at least everyone breaks, and they publish a comprehensive report on how to prevent that later. They don't partially break things all the time. |
@ehfd That is not a good fit for our current release workflow. I have to sign our official release packages using a GPG key on Linux, an Apple Developer certificate on macOS, and a code signing certificate on Windows. I do not trust any cloud-based CI system to keep the associated private keys secure. (GitHub Actions has never had a data breach that exposed encrypted secrets, but Travis CI had one last year, and CircleCI had one this month.) Thus, I use physical security to protect the private keys. They are stored on my local build machines in an encrypted volume, and official releases are built only on those machines. I have been using SourceForge since 2004, so I do not need you to explain the tradeoffs of it to me. My projects do not rely on SourceForge for anything but file hosting. What I would need in order to consider using GitHub for file hosting instead:
At the moment, I have very little time and funding to look into migrating our file releases, and I certainly do not have time to learn how to use the GitHub API. Furthermore, there are other nice things about using SourceForge for file hosting, such as automatic virus scanning, multiple mirrors, fine-grained statistics, etc. It's funny how many people beg me to use GitHub for everything because they consider SourceForge to be a "single point of failure." You see the irony in that, right? I've been around long enough to have seen these sites come and go, and I don't really think that trusting Microsoft's current benevolence toward the open source community is a more sound strategy than trusting Slashdot Media's benevolence. In both cases, the companies are running the sites primarily to promote their other businesses. |
I've been talking about this the whole time. It will work the way you want to. And you don't need GitHub actions (it's only required if you want to build the packages in GitHub, and you don't want to). You can build things in your own node and use cURL with the REST API to upload the assets to GitHub releases. All tokens and important security information in your own node. You can use the REST API from your own node to create the releases automatically too.
Yes, it's possible. Easier, perhaps. With the GitHub REST API from your own node. I understand that you lack time to do it in different ways, but I still think what you listed is not enough as an argument to stay on SourceForge only. Maybe try using both GitHub and SourceForge for files when you finally have the time to learn GitHub REST APIs in the future, and choose what you like (or keep both). Basically, if you don't want to use the GitHub Actions CI/CD and want to build everything in your node, the below is all you need to study (and for YUM, you already know what you need). https://docs.github.com/en/rest/releases/assets |
Great, so show me how to do it. Your examples above appear to only demonstrate how to download assets, not push or update them.
I don't have to convince you. You have to convince me. You haven't spent the last 19 years maintaining this project (the last 14 of which have been as an independent developer working for very little money.)
The API seems straightforward, but it will still take some time (that I don't currently have) to design and test appropriate release management scripts, re-deploy all current releases to GitHub, etc. Then I have to endure the inevitable migration pain-- fielding support queries from people who didn't bother to read the announcement and are still looking on SourceForge, people who are still trying to access the old YUM repository and don't understand why the latest release isn't there, etc. (I still have users trying to subscribe to the archived project mailing lists on SourceForge, even though they have to click through a screen that clearly says "this list has moved to Google Groups" in order to do so. People don't read, so every change is more painful than it should be.) I don't actually know how to create a YUM repository using only external URLs. I currently use the default |
I will try these things and help you along the way. And yes, I know that I am the one who should convince you, so I will try to give you a proof of concept. |
@ehfd SourceForge SSH access has been flaky lately, so I'm ready to move everything to GitHub if someone can figure out the YUM hosting problem. |
https://copr.fedorainfracloud.org/ https://docs.pagure.org/copr.copr/how_to_enable_repo.html#how-to-enable-repo An option for hosting RPMs alternatively. Integrates tightly with GitHub. I believe COPR is what you are looking for. Other options: https://rpmfusion.org/Contributors#Submitting_a_new_package I believe dedicated FOSS YUM/DNF providers are best. |
@dcommander Then if people gradually stop using SF, it can be phased out. |
Uploading to three places simply isn't going to happen. I am only willing to host files on GitHub if it can fully replace SF, which means figuring out the YUM repository problem. |
Fedora COPR automatically builds RPM packages in their own infrastructure from information obtained from the GitHub repository or a provided https://www.reddit.com/r/Fedora/comments/l5bzy0/need_help_creating_a_package_in_copr/ |
In a
It is possible to set I really believe that Fedora COPR can remove this headache and you wouldn't even need to use Then uploading to GitHub releases (deb and rpm files uploaded previously to SourceForge are now uploaded to GitHub, just that the yum repo and rpm assets are managed by COPR) is even more trivial. https://docs.pagure.org/copr.copr/user_documentation.html#webhooks |
Anyways, if the yum repo must be hosted on GitHub, I need more investigation but I think there is a way around, although very non-trivial.
Again, COPR automatically solves these problems. |
External building of RPMs is a non-starter. Our official packages are signed with a private key that is, for security reasons, stored only on a local machine and not in the cloud. This is one of the differences between a "community" project and a project, such as ours, that is trying to be as enterprise-friendly as possible (because being as enterprise-friendly as possible is how I attract funded development, which keeps the project alive.) Why couldn't the generation of the XML file be automated? |
I suspected this would be an issue, and I understand. |
Because I believe that the link to the package has to be manually updated in the XML file in order to accommodate GitHub release URLs. https://blog.packagecloud.io/packagecloud-loves-oss/ They could accommodate VirtualGL/TurboVNC. They have a CLI which allows uploading custom RPMs, but is a paid service. OSS projects can be exempt from the payment though. This way DEB files can also be installed using apt-get. RabbitMQ (https://www.rabbitmq.com/install-rpm.html) and other large projects use PackageCloud. |
Also free for FOSS: 1) https://www.cloudrepo.io/docs/raw-repositories.html 2) https://fury.co/pricing (free for public repositories) PackageCloud and GemFury look like safe choices supporting DEB and RPM free for FOSS and both can push built RPMs. |
So, what changes from moving away from SourceForge in this proposal? GitHub Release Assets: Direct download link moves from: Uses GitHub REST APIs instead of Sourceforge SSH. PackageCloud (https://blog.packagecloud.io/packagecloud-loves-oss/) RPM and DEB packages: Uses PackageCloud CLI to upload built RPM and DEB packages. |
Let me be more clear: The reason why we started discussing this issue in the first place was a lack of trust in the stability and longevity of SourceForge. Now you're proposing that I move YUM repositories to another service that is a complete unknown? Six or seven years ago, people begged me to move to BinTray. Now it's gone, but the packages I host on SF are still there. I am only interested in a solution that involves services with a higher trust profile than SF. At the moment, that probably means GitHub only. |
Yes, you're right. I guess they can go out of business. But that doesn't mean SF is doing good... I will check how an RPM would be possible on GitHub, but it will take time.
I still doubt this. There is one more set of options; hosting services from distros themselves (Launchpad for DEB, OpenSUSE Build Service for DEB/RPM if somehow there is a way to upload pre built packages). https://en.opensuse.org/openSUSE:Build_Service_comparison and https://copr.fedorainfracloud.org - if uploading is possible Example: Anyways, that was enough discussion for now, I will come up with something later. A very simple solution might be just to change the baseurl in repomd.xml. But untested. |
Let me be even more clear:
|
Created a new issue (#240) to track this. |
As of this writing, VirtualGL 3.0 beta1 and later do not appear at
https://sourceforge.net/projects/virtualgl/files
The files aren't actually gone. I can see them from an SSH shell. There is apparently a temporary issue with the SourceForge web interface that is preventing them from being displayed, and numerous projects are reporting the same issue;
https://sourceforge.net/p/forge/site-support/search/?q=status%3Aopen
As most of you know, one of the reasons why we continue to use SourceForge for file releases is that SourceForge allows file deployment and management via SSH, so I am able to automatically push and update releases using rsync and manage YUM repositories on SourceForge's file release server. If GitHub had that same functionality, then I assure you that I would use it. Barring that, I am open to other suggestions.
If this outage lasts more than a day, then I will upload the missing releases to GitHub as a stopgap solution.
The text was updated successfully, but these errors were encountered: