| ▲ | benwilber0 4 days ago |
| Maybe I'm wrong, but aren't apt repositories just files in a web root? There are many scripts in the Debian ecosystem to generate and maintain such web directories. Maybe the actual package building would be interesting, but I don't know about just "we'll host your .deb files and keep the index updated" |
|
| ▲ | ilikebits 4 days ago | parent | next [-] |
| You are correct. The reason we built this tool is because all of the scripts we found had sharp edges when we tried to use them in production at scale (I talk about some of them here: https://news.ycombinator.com/item?id=43730136). Most of these scripts were designed for a world where there was A Blessed Deployment Machine that acted as its own de facto centralized control plane. We're designed for a newer world where publishing is just another piece of your CI, so you need more features to handle concurrency control, distributed signing, incremental index rebuilds, etc. |
| |
| ▲ | benwilber0 4 days ago | parent [-] | | What is an example of something that would require "distributed signing"? | | |
| ▲ | ilikebits 4 days ago | parent | next [-] | | Our use case is customers who (1) want to use a managed cloud hosting service that we provide, but (2) are not willing to give us their signing keys. Our design allows them to keep all of their signing keys local to their environment. To our knowledge, we have not found another provider who supports both of these requirements. It's not some amazing technical innovation, but it is one of those annoying paper cuts that builds up with all the others. | | |
| ▲ | benwilber0 4 days ago | parent | next [-] | | > when we tried to use them in production at scale Debian and Ubuntu have been using them in production and "at scale" for decades. What are the "sharp edges" that you're trying to solve? | | |
| ▲ | ilikebits 4 days ago | parent [-] | | That's true! The Debian and Ubuntu folks are also experts at this. In our experience, the sharp edges generally affect teams that don't have a lot of in-house expertise in this, and where release engineering is not a core engineering competency that they want to invest in. |
| |
| ▲ | rlpb 4 days ago | parent | prev [-] | | Signing an unsigned apt repository is about three gpg commands though. I don't see how this kind of thing requires a whole separate product. | | |
| ▲ | ilikebits 4 days ago | parent [-] | | Yeah, solving this locally for one repository definitely isn't that hard at all. Most of the features we're building become useful when you're trying to build CI integrations for a larger team while also complying with enterprise security requirements (e.g. audit logging, HSM key protections, etc.). |
|
| |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
|
|
|
| ▲ | MattJ100 4 days ago | parent | prev [-] |
| As a FOSS project which publishes debs, it's a real hassle using current tooling. The tools are heavily biased towards the needs of distro maintainers, forcing projects into overly complex workflows which are overkill for a small numbers of packages. Features that would benefit smaller repositories with more frequent updates are limited or missing. The other options is to DIY without tooling (essentially, write custom tooling as scripts or whatever), which is messy and full of pitfalls to the inexperienced. |
| |
| ▲ | ilikebits 3 days ago | parent [-] | | Yup, this was similar to our experience as well. If publishing is still a source of toil for you, feel free to reach out at eliza@attunehq.com - we'd love to see if we can do any dev work or hosting pro bono for your open source projects. |
|
