I have some questions regarding the update procedure of Indico 3.x:
In the past python and uwsgi where installed from the repository of the linux distribution. Now a lot more manually updating is necessary.
Since pyenv is used now, do I manually need to update it (pyenv update) or is the update procedure integrated somewhere else (e.g. in indico setup upgrade-python)?
In the Indico documentation one step of updating Indico is checking for the latest python version (indico setup upgrade-python). Since there might be security updates for python, I guess I need to manually check this even if there are no Indico updates available and follow the Indico update procedure just leaving out the following steps?
pip install -U indico
pip install -U indico-plugins
indico db upgrade
indico db --all-plugins upgrade
Since uwsgi (and wheel) is installed using pip now, I assume I need to manually update them (pip install -U uwsgi wheel)?
I assume to keep track of important updates the feature behind SYSTEM_NOTICES_URL has been included to Indico. Can I expect to be notified in case of security updates for pyenv, python, uwsgi and wheel using this feature? Otherwise keeping everything up to date seems complicated.
Updating pyenv itself is not really important, since it’s just a set of scripts to install/build a Python version; no pyenv code is used at “runtime”. But in any case, upgrade-pythondoes a pyenv update first.
Yes, just running indico setup upgrade-python should be enough to apply a minor Python version update. FWIW, actual security updates for Python are rare; typically it’s in very obscure parts of stdlib (that aren’t used by Indico). Due to the uWSGI rebuild that happens here make sure to actually restart uWSGI and not just reload it (touching the wsgi file)
wheel is just a Python packaging util; any updates (security or otherwise) are usually not relevant except when you try to operate on possibly untrusted wheel files. In any case upgrade-python will upgrade wheel and rebuild uWSGI (since that’s needed anyway in order to make it use the new Python version).
So the main reason why I added it was to inform people if they use an old Postgres version (since we no longer test e.g. on Postgres 9.6 (which has now reached its end-of-life anyway)). But the notification system allows us to show notices based on either the Postgres, Python or Indico version, so if there’s an important update we’d indeed make use of it.
You said that upgrade-python will rebuild uWSGI. Does this mean it will also first update uWSGI? Does upgrade-python also updates uWSGI in case there is no new python version? If not, what is the procedure to update uWSGI?
How does one know about important uWSGI updates? Do you count it to “notices based on python” in the context of your notification system?
uWSGI releases are relatively rare; but we could add a notice in the upgrade docs if there’s an update which we believe people should really install. In any case all that’s needed to manually update uWSGI is pip install -U uwsgi.
In case of notifications ( SYSTEM_NOTICES): Will I receive an email from Indico or from you using the contact email address entered when joining Indico Hub or do I need to login to Indico to see the notifications. In the last case I might miss, since I am not logged in all the time.
Currently these notices are only shown in the Indico admin area and nowhere else. Indico sending an email to the internal contact address (SUPPORT_EMAIL) from the config (I would not use the community hub one; not everyone uses it) when a new notification comes up could be a very interesting feature though…