[Webapps-common-discuss] Notes from webapp BoF yesterday at Debconf

Geoffrey Thomas geofft at ldpreload.com
Sat Aug 30 19:48:25 UTC 2014 

(BCC people who were present)

Hey webapps-common folks!

Yesterday at Debconf, I got some people together for a BoF to discuss how 
best to handle webapps in Debian and to try revitalizing the 
webapps-common effort. We talked about a bunch of issues, and I've 
included detailed notes at the bottom for those who are curious, but here 
are some high-level topics:

We're more interested in reasonable automatic configuration for people who 
don't deeply care how an app works, than making things work very well for 
people who will be closely working with an app (mass hosts, etc.). But we 
do want to support multiple deployments.

We want a common tool that each webapp has config for, that handles
   - Deploying new instances of a site
   - Importing/exporting content, if the webapp supports some format for
     it upstream
   - Handling database migrations on upgrade
   - Keeping plugins in a symlink farm, with a2enmod-style tools to add
     and remove them to an instance, so that installing a plugin's package
     doesn't automatically enable it for all instances
   - Snapshotting the current version of everything from Debian, which
     gives you stability, but cuts you loose from Debian (including for
     security updates)

It seems like having short-security-lifecycle webapps in the stable 
release is of limited value to users, and a pain to the security team. One 
possible approach is webapps that live in testing and backports but never 
reach stable itself. It's still valuable to have apt-installable webapps 
even if we don't have stable-quality security support for them, since 
Debian packaging provides other benefits.

More detailed notes follow.


On automatic configuration:
- One important role for policy to play is in negotiating automatic
   configuration / the desire to work out of the box, against the limited
   URL namespace.
- The priority should be towards people casually interested in the
   package who just want to `apt-get install` something and have it work.
   - People who are doing careful deployment of a site are likely to learn
     a lot about the package and how its upstream works, and work with the
     upstream release directly.
   - People who are doing mass hosting will probably have some tooling that
     they're familiar with, and getting Debian clearly better than theirs
     seems like it may not be worth the work, immediately.
- That said, we do want to support deploying multiple instances on the
   same machine.
   - We'd prefer not to use upstream support for multi-site within a
     deployment. Not many upstreams support it, and some (e.g. Drupal)
     recommend against it.
- We also strongly want to support importing content from existing
   sites. Not all webapps will have an import/export mechanism, but for
   those that do, it's important to document and standardize how to get
   your content running on the deployment.
- Handling database configuration sounds awesome.
- Handling database upgrades / migrations on version upgrade sounds very
   awesome. We're not sure if doing this in the postinst makes sense.
- dbconfig-common should be involved. It seems like it hasn't seen a lot
   of work recently, and none of us are very familiar with it or how to
   make it work well.

On deployment configuration:
- General preference is to support multiple deployment, geared towards
   small numbers of deployments. People seem to like Trac's packaging,
   incidentally.
- Make a directory with a symlink farm for plugins that the tool
   mentioned above can manipulate. It's also a convenient place to put
   unpackaged plugins and have them work against a packaged webapp; in
   addition, you can convert the symlinks into copies to detach yourself
   from Debian updates.
- Possibly we could use this directory for non-plugin language modules,
   but that gets somewhat tricky. For that, and especially if we want to
   talk about snapshotting the interpreter, we're better off integrating
   with Docker (and the Docker maintainers present were interested in
   making this work smoothly).
- Import/export is important for freedom reasons, to make packaged
   webapps useful (migration from some existing server), and to support
   backups. Database backups should integrate with dbconfig-common.

On security support:
- WordPress is fairly high-percentile on security support quality, and
   even it doesn't have a support lifecycle as long as a stable release.
   Many apps have no stable release policy.
- There's probably not much value in installing from Debian from a
   security viewpoint, and major version updates in stable seem to defeat
   the point.
- Maybe we should have certain webapps be present in unstable and
   testing and backports, but never in stable.
   - We'd need to define some mechanism for this to work in the archive.
- Alternatively, we could use a webapp team PPA.
- Setting up webapps so that their code / docroot isn't writable by the
   web useful is very valuable for security / hardening, and that's hard
   to do with upstream-distributed webapps. So even without security
   support, we can provide security advantages in packaging.
   - Having policies about this would be nice.
- We might want to be steering users towards apps that are more
   security-supportable instead of the popular and highly-vulnerable
   ones, but to some extent the vulnerability is merely due to their
   popularity.

Also:
- There are lots of ways to run a webapp (straight CGI, mod_foo,
   FastCGI) and we should make it easy to move between them.
- When a webapp needs a database, it shouldn't depend on a database
   package because running a separate DB server is pretty common, but we
   _should_ make it the case that a normal apt install is helpful for
   users who don't already have a database server.
- cPanel has a deployment interface and a one-click upgrade interface,
   but they don't really work. We may or may not be able to do better,
   but it's worth noting we aren't the first people to try.
- We might want to aggressively use systemd's template unit stuff to
   support multiple instances (you could have wordpress at myblog.service,
   wordpress at teamblog.service, etc.)
- We could define an fstab-style file (tentative name "/etc/webtab") to
   handle URL namespace allocation and routing, in a way that's agnostic
   to web server etc.

-- 
Geoffrey Thomas
https://ldpreload.com
geofft at ldpreload.com

More information about the Webapps-common-discuss mailing list