jpkrohling
commented
7 months ago I wasn't aware of fury.io and was able to secure both "opentelemetry" and "open-telemetry" there. While I think it's a good idea in general, I think the TC would have to approve the usage of this to host our official artifacts. I think I would be somewhat OK with that only if we provide ways for our users to independently verify that the artifacts are indeed coming from the project, likely by signing the packages/binaries.
edigaryev
atoulme
devstein
Currently, when you follow the DEB Installation instructions for the OpenTelemetry Collector, you install a specific version that won't be upgraded with
apt-get update && apt-get upgradewhen the new one comes out.This places a burden on the administrators, because you have constantly track new Collector versions and update your Ansible Playbooks to include the new
.debURL. This is simply not how things are done normally when administering Debian-based distributions. The same applies to the current state of.rpmpackages.To solve this, a repository needs to be provided.
Good news is that since this project already uses GoReleaser and has
nfpmsconfigured, providing a repository will be just 2 lines of YAML added to.goreleaser.yml:(this assumes that this project has an access to
open-telemetryaccount on Gemfury and an appropriateFURY_TOKENis provided when running GoReleaser in CI)Here's an example of how Cirrus Labs's Vetu project uses GoReleaser's
furies:to publish both .deb and .rpm repositories:.goreleaser.ymlconfigurationFURY_TOKENin CI