Internet software repositories considered harmful

[dpoirier]

When our deploys pin a particular version of some software package, but fetch it from some repository on the Internet that we don't control, we risk that version not being available someday. Over time, package maintainers decide nobody will need that old version anymore. Or whole repositories vanish from the Internet.

We need our deploys to work indefinitely into the future. On the day 2 years from now when one of our servers melts down and we need to quickly deploy another one, we don't want to suddenly find half the software versions we had been running are no longer anywhere to be found on the Internet.

I think the only 100% safe approach would be to keep our own copies of things in some way - there are many ways we could do it.

This is obviously something we would need to address long-term.

[dpoirier]

For Python packages, we could set up our own Caktus server running a caching PyPI proxy and do all our project installs via that. If we make sure it never removes anything from its cache (even if it vanishes from PyPI), then once we've installed something from there, we'll know we can install the same version again later.

For Linux packages, there are similar tools like Apt-Cacher.

In both cases, though, things are complicated by our sometimes using packages from repositories other than the main, official ones. We install Python from deadsnakes, or a patched version of a Python package from github. Apt-Cacher can handle proxying as many different backend repos as you want. We'd need to find a caching proxy for installing Python packages that can do something similar.

[dpoirier]

Another approach for Python packages: : see https://pip.pypa.io/en/latest/user_guide.html#create-an-installation-bundle-with-compiled-dependencies.
Pip can download all the dependencies and put wheels in a directory. Then you can install from there. Now all we need to do is store the directory somewhere - maybe in GitHub, in a deploy repository? (I don't think we want these in our source repos.)