Migrating Critical Chocolatey Packages To Chocolatey Community

[AdmiringWorm]

Discussed in #1898

^{Originally posted by pauby May 30, 2022}
I have a proposal that I wanted to discuss with the Community here to find the best way to approach migrating critical Chocolatey packages to this repository.

Chocolatey CLI requires specific packages for it's package sources such asruby, python and webpi. There are also packages that are required for Chocolatey CLI features such as intunewinappyutil. And packages required for Chocolatey products such as nexus and jenkins. Different maintainers are responsible for these packages.

To ensure Chocolatey has a secure, trusted and well-defined package management process, we have had some discussions internally and wanted to understand what the Community thought of:

• Migrating the packages discussed above to this repository.
• The use of the CODEOWNERS file ensures that the maintainers best placed to review package changes can do so, providing a trusted and secure process for those critical packages.
• Use the automation that already exists in this repository to ensure packages are up-to-date.

I see the benefits to the Community as

• Members of the Chocolatey Team would be available to help with management of the repository.
• Increased number of package maintainers, able to work on packages and review / merge PR's.
• The migrated packages would be open-source in this repository, allowing others to get involved in helping to resolve problems and add new features

The two important things that I wanted to ensure from this is:

• A secure, trusted and well-defined process for managing critical Chocolatey packages.
• Increase in the number of Community maintainers working in this repository.

I believe this will provide both of those, and I hope that it will encourage other new and experienced maintainers to become involved too. I would really like to see this repository thrive, and I feel this is a good step on that path.

Please let me know your thoughts.

The full list of packages that will be migrated are shown below:

• [ ] webpicmd (this is no longer going to be migrated as the webpi source has been removed by Microsoft).
• (intunewinapputil) Migrate package to new repository #1929
• (nexus-repository) Adds Nexus-Repository #2065
• (jenkins) Adds Jenkins package #2175
• (azcopy10) Migrate package to new repository #2336
• (selenium-chromium-edge-driver) Migrate package to repository #1871
• (selenium-chrome-driver) Migrate package #1861

Additionally, there is a need to create a new package that will be part of this as well for the following software:

• Create Selenium PowerShell Module package #2179

[pauby]

Answering the questions from #2336 (comment):

• Replace azcopy package with content of azcopy10 package (and maybe create an azcopy8 package with old content if people still want to use an old version)
• Publish azcopy 10.X as azcopy package
• "Deprecate" azcopy10 package by putting it as a dependency of azcopy package so people can migrate to it

I think this woudl be a good idea to do. But would be outside of the scope of this issue (which is about migrating critical packages to the Chocolatey Community).

I would be curious as to what @corbob and @AdmiringWorm think about doing this right now rather than migrating in azcopy10 and then doing the work to azcopy?

[AdmiringWorm]

If we down the line wants to create an azcopy8 package, then let us keep the content in the azcopy10 package, and rather change the azcopy to be a meta package that depends on it (similar to how the python packages operates).

[jbpaux]

I honestly think nobody still use azcopy 8 (current azcopy package) and we should replace azcopy10 package to azcopy and in the interim add azcopy as a dependency of azcopy10 so people migrate to it smoothly and in a midterm future delete azcopy10 package. (but maybe out of scope of this issue, sorry)

[corbob]

I'm with @AdmiringWorm on this. If we change things, then azcopy should be a meta package that takes azcopy10 as the dependency. The reason for this in my mind is if version 11 comes out, anyone depending on azcopy would get upgraded, but if they do what they did with 8 vs 10, then this may not be the desired behaviour.

[AdmiringWorm]

All the packages that were meant to be migrated are done, as such I will close this issue now.