[Change]: Questionnaire summary: Enable users to install packages from selected external repositories (e.g. PyPI, CRAN, Conda, Maven)

[edwardchalstrey1]

Summary

The percentage splits of responses to the SATRE survey questions on packages from external repos in a TRE.

Source

SATRE specification survey responses

Detail

Survey results:

9.1.a. Any package

No opinion	Not important	Nice to have	Important	Essential
7.62%	18.10%	37.14%	23.81%	13.33%

9.2.a. A curated subset of packages

No opinion	Not important	Nice to have	Important	Essential
7.62%	2.86%	12.38%	26.67%	50.48%

Where

TRE required features and TRE optional features

Proposal

• Include the ability to install a curated subset of packages from external repos in 'required' features of the TRE specification
• Include the ability to install any package from external repos in 'optional' features of the TRE specification

Who can help

Anyone

Specification section

https://satre-specification.readthedocs.io/en/latest/pillars/computing_technology.html#software-tools (see #110)

[crickpetebarnsley]

How would this become a "specification"? I do not understand how this becomes part of a trusted research environment specification. How does this match to the Q8 (programming language support)?

Are you expecting to specify the set of packages if you include 9.2 and not 9.1? Or is the specification that the TRE publishes the set it has deployed?

Would a chosen set will only help some people (probably the minority). Would the incompatibility between various package versions means that central management will be an "impossible" overhead to resolve problems and fix with regression testing? Is the only viable option, if this is part of the specification, for deployment to be possible onto a connected 'compute' and for it all to be the responsibility of the individual research projects and their TREs. Then it is 9.1 not 9.2 that is the approach. Then a specification requirement could be that all packages are logged and their use in research pipelines must be logged and recorded (with version and configuration metadata).

But I do not understand this as part of a trusted research environment specification. How does this match to the Q8 (programming language support)?

How would such an ability be described in an architecture diagram? Would it have network layer parts as well as application layer parts?

[edwardchalstrey1]

I'm going to close this based on what we have in the spec:

A TRE may provide limited access to some software repositories	For example, a TRE may allow installation of packages from Python or R repositories, or provide an internal mirror with approved packages.	Optional

[edwardchalstrey1]

Would the incompatibility between various package versions means that central management will be an "impossible" overhead to resolve problems and fix with regression testing

@crickpetebarnsley I think the idea here is that this difficulty is down to the researchers, rather than TRE developer/operators