release monitoring

[nikhiljha]

In Fedora we have https://release-monitoring.org/, which watches for new versions of packages and creates a fedmsg (like a notification but you can setup custom routing rules and stuff) so package maintainers know there's a new version of their package available. It's based on an open source project called Anitya.

The OCF might benefit from something similar. For example we could have an email go to an updates@ocf.berkeley.edu mailing list so we're at least aware of new versions.

[nikhiljha]

Kubernetes containers don't have DSAs, so this would be a net positive for security too.

[dkess]

I don't remember if I wrote this anywhere, but my idea for solving this for the OCF has been:

1. Add a machine-readable comment to files in our repos that contain version numbers we want to watch
2. Write a script that checks RSS feeds and makes a PR to those files whenever a new version is released (with a link to release notes or whatever)

We could run that script on a Kubernetes cronjob, no need for a long-running service.

[cg505]

I think that I have also independently come to the same conclusion as @dkess about this, but I haven't thought about it in a lot of detail.

[cg505]

The one thing I'll add is that it would be useful to have more than just a notification. Notifications can be missed, so it would be nice to be able to see what is out of date on-demand, on a control panel or something.

[cg505]

Kubernetes containers don't have DSAs, so this would be a net positive for security too.

Non-Debian APT repos (Docker, Kubernetes, Brave, Puppet) also won't get DSAs.

[dkess]

Some quick ideas on an "out-of-date" dashboard:

• Add a special label to the upgrade PRs, then your "dashboard" could be a GitHub search for that label.
• You could try exporting version numbers to Prometheus and make a Grafana dashboard that shows this information. For Kubernetes you might be able to get the Kubernetes exporter to show you Docker tags and therefore version numbers.

[nikhiljha]

I suggested Anitya because it already handles the "check for new updates" bit (works based off of git tags, so it works on 99% of open source projects).

I wonder if there's a tool that can automatically look at kubernetes/docker files and make PRs. Rolling our own dashboard + automatic PRs sounds like a lot of work.

[cg505]

Anitya definitely seems worth checking out

[nikhiljha]

Apparently Dependabot (now integrated into GitHub) https://dependabot.com/docker/ can check the FROM line of a Dockerfile. If we switch to defining versions inside the Dockerfile (instead of the makefile) that could work (?).

That seems like a clean solution given that we use github anyway.

[cg505]

I was kind of under the impression the Dependabot only handled security updates.

[nikhiljha]

You can configure that, but it does all updates by default iirc.

[nikhiljha]

fixed https://ocf.io/gh/adelie 🥳