matomo-package
matomo-package copied to clipboard
matomo-org
Is the Matomo Debian package dead?
I absolutely hate posts like this because FOSS should not be about timescales and deliverables BUT this is also the official apt repository for a commercial product listed to this day as a supported method of installation.
I dont want to labour the point but some details are listed here
To summarise:
- Matomo 3, whilst technically still officially supported, receives no updates and speaking personally this also extends to plugins (even all the subscription ones we pay for). It has in all practical ways been put out to pasture.
- Matomo 3 will install and upgrade on Debian 9 but if you are running this OS in a commercial environment you will likely be getting told it fails security accreditation now.
- Matomo 3 will not install or upgrade on Debian 10. If you try it will break badly.
- All development and innovation seems to be on Matomo 4 which cannot be updated to or installed direct using apt.
I apologise for making this post but we are closing in on a year of missed updates and I am now at a cross roads. The effort to port from apt to manual install will be huge and I both dont want to do it or tell people how much its going to take in man hours.
Please can we have a roadmap.
I just updated the title to make it clear this is about the debian packages as this repository also contains build-package.sh which is the main way all Matomo releases are created and is updated for this all the time.
Thanks @nomandera for your interest. I've talked to the previous maintainer and I can confirm that he is not going to maintain the Debian package anymore.
So at this point we have two options:
- Deprecate the package, close it, make it clear that it won't be maintained anymore
- Find a new maintainer, who uses this package in production, and who could own this package (and eventually help us automate the debian package release using github actions)
Is there maybe anyone reading this who would be interested to take over the debian package for Matomo?
we do have quite solid docs and scripts that @aureq created, but it does need some work and knowledge of Debian.
Not sure it makes sense to close all the other issues. If there is a new maintainer, then many of those issues probably need to be reopened.
@Dreamsorcerer Most issues seem really low impact, and hadn't been commented/touched for years. Trying to be pragmatic and have a clean slate for whoever comes next (if we're lucky to find a new maintainer...)
No problem, I guess just a "reopen if this still affects you" then. I do see that some of them appear to have been fixed, although probably need some documentation.
Is there any option for Team Matomo to step in and take over even if it is a temporary measure?
During my initial research of install options the official announcement and apt repository left no doubt that the project was backed by Team Matomo.
Sorry if this seems negative, just feeling a bit left out in the rain here given that the very first time we need the Matomo team to maintain the Debian Matomo repository the response it to twilight the project and call for the community to step in or it will be closed.
@nomandera thanks for the note! the blog post now redirects to the official non-debian installation guide, to remove any possibly confusion.
we've also redirected https://debian.matomo.org/ for now, to make sure nobody else could get false expectations.
FYI Looking at some basic server logs stats, we can see that Since Jan 1st 2020 there were only 244 downloads of the release matomo_3.10.0-1_all.deb. So it looks to me like Debian package is not a very popular installation method.
Big thanks and kuddos to @aureq for his work all these years maintaining the package! :clap:
@nomandera thanks for the note! the blog post now redirects to the official non-debian installation guide, to remove any possibly confusion.
@mattab just wanted to note that I found the redirection from the Debian repo to the installation guide quite confusing! Would it be possible to redirect to a paragraph explaining that the Debian repository is no longer supported? I don't think the redirection alone communicates this effectively - I very nearly opened an issue about the redirection heh.
Thanks for all your work on Matomo - I've been a happy user for many years! Thanks @aureq too!
PS. This is still live in the docs:
How do I install Matomo on Debian GNU/Linux servers? https://matomo.org/faq/how-to-install/#faq_17844
Perhaps this is a good place to explain that the Debian package is no longer supported?
Since it is looking likely that the repository will be gone now forever could instructions on how to migrate to a supported install be provided as a sign of good faith from Matomo?
@nomandera If I can find some time in the next days, I'll write something. As I never used the package and can't reliably test it, this would be more of a community wiki for everyone to contribute to.
I very much appreciate the efforts @Findus23 as currently we are all feeling pretty annoyed at Matomo over here.
We followed the official install guide, purchased and renewed several addons during the subsequent years, contributed time and effort in this project and for our troubles we are now left with a a load of completely unmaintainable installs in the Douglas Adams style of "So long and thanks for all the fish".
This is what happens if a project just kills a repo:
Reading package lists... Done
E: Failed to fetch http://debian.matomo.org/dists/piwik/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: The repository 'http://debian.matomo.org piwik InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
@BenSturmfels Thanks for the note the FAQ has been fixed
Thanks for the hint @nomandera - we restored the website at https://debian.matomo.org/ so it still works for now. (i hadn't realised setting a redirect would have broken the system...)
To install Matomo on Debian:
- your system can meet the requirements
- then proceed to install Matomo by following the instructions in our Matomo Installation Guide.
And when you install Matomo using these steps, you can enter the DB credentials of your existing database (the one that was managed by Debian before, you will find the DB credentials in the config/config.ini.php file), so your database will be reused and no data be lost.
Maybe @Findus23 will provide more details, or you can write here any questions or issues, we will help you migrate
Thanks @mattab! I still feel it would have been helpful to me to have a more direct statement in that FAQ answer such as "The previous Debian package repository is no longer actively maintained. We recommend migrating to the our standard installation approach." Thanks again.
@BenSturmfels we've just updated the page at https://debian.matomo.org/ - hope it's more clear. i'll leave the FAQ as is I think as people would easily find https://debian.matomo.org/ if they search :+1:
OK we are definitely making progress but we are not there yet.
The instructions
To install Matomo on Debian:
your system can meet the requirements
then proceed to install Matomo by following the instructions in our Matomo Installation Guide.
is fine for a new install but if you were to follow this as-is for an exiting apt install you would end up with a Frankensteins monster of two installs.
I would suggest we should be looking at an initial backup phase (of what I cant say) and then an apt remove or even and apt purge of apache2 matomo.
WARNING: untested please anyone following this thread dont just try this without being able to recover.
So what actually
- needs backed up beyond
config/config.ini.phpand the database? - How closely do the apt and manual install versions os Matomo need to be (remember everyone on apt is almost a year out of date)
Create a backup of everything (Matomo files and Database) is always a good thing.
In theory nothing needs to be backed up (even config/config.ini.php can be regenerated by going through the installer again). But there are a few things that will be lost:
- installed Plugins (not their settings)
- GeoIP database (you can find them in misc/)
- custom logos and favicons (also in misc/)
- salt (in not copying the config) which means password resets, things like this and maybe logged in sessions will be lost
You can download every release of Matomo from https://builds.matomo.org/ which would allow you to migrate to the identical version and afterwards update. In theory you can do both things at once, but I think doing them separately is easier.
Things you also need to set up, that the debian package included:
- The apache config of your webserver
- The archiving cron job: https://matomo.org/docs/setup-auto-archiving/
- A logrotate of the output of the cronjob (if you like): https://github.com/matomo-org/matomo-package/blob/master/debian/conf/matomo-log
Also I noticed that an apt remove deletes the Matomo directory so maybe copy it somewhere else first.
Just to confirm.
Is Matomo going to provide a set of upgrade instructions to port apt existing users to a mechanism that is still supported or is this on the community?
I ask because I have been tasked with pulling this off here and I dont want to forge ahead trying to work this out on the fly if an correct/official methodology is forthcoming.
@nomandera As noone asked here anymore, I assumed the steps explained above were enough.
But if you have any questions, I can answer them when they arise.
Thanks for the follow up. I just assumed that since apt was an official install method and since it has now been officially removed that some guide to port would be forthcoming.
There is a big difference between a series of tips and a official supplied and tested migration document.
Please realise that those of us with this in commercial production are now in a situation of having to build, R&D and test this procedure. This is unplanned cost and not an easy sell.
It is what it is I suppose but Matomo did not shine here. Far from it.
Hi all,
The wave is going to rise as admins will move from Buster to Bulleyes.
@Findus23
You can download every release of Matomo from https://plugins.matomo.org/ which would allow you to migrate to the identical version and afterwards update. In theory you can do both things at once, but I think doing them separately is easier.
Where? Following this link, it's far to be clear for me. Most of us will look for 3.14.1, the last that was provided.
Has the installer changed a lot between 3.14.1 and now? I mean file location and permission. If not, my proposal is to get this 3.14.1 installer package. Then install. This should result in having 2 matomo installation. Then, I'll try either to migrate old data in new install, or keep old package parts : logrotate, cron... Then ugrade
I can provide the shell command I used. I was on a classical Buster and move to a classical Bulleyes. But I need the 3.14.1 installer.
Regards,
@e-gaulue You are right, I mistyped the URL. I meant https://builds.matomo.org/
Debian admins are used to have obsolete packages as long as they are stable and secured. Those interested in newer packages can move to solution (Matomo, phpmyadmin, wordpress, ...) team own Debian packages.
Could anyone bring me to matomo team recommandations regarding apache configuration. I googled and found lots of people saying: "here is the way I installed it", but I did not find the team recommandations. I know we are on the border and one could say: "that's not the matomo job but the apache admin one to secure it".
For instance, in https://github.com/matomo-org/matomo-package/blob/master/debian/conf/apache.conf, we have a kind of partial proposal which aim is to secure installation. Is it still good? Could we have a better one for >=4 version?
By the way, it would be a shame to throw this Debian packaging stuff, as it doesn't look so unusable. I'm really sorry I do not have any time to spend on it (and I'm not a Debian package expert), but looking at it, it would take really few time for one of them to refresh this code.
Hi all,
I did manage to move from debian package to matomo classical install, but debian package was great: easy to install, easy to upgrade, easy to backup, easy to trust... So I looked at the files in the debian directory of this current git repository and I didn't find any reason why building 4.5.0 as a debian package would break. So I cloned the project. I made really few changes and got my matomo_4.5.0-3_all.deb package.
Of course, when you try to install it, it complains, but it's really easy to change and correct.
I'm in a situation I can say: "it works for me", but I need help if you want something considered stable.
I'm working with debian for 20 years now, but I don't consider myself as an expert. And regarding Matomo, I'm just a sys admin, not a user. I've got the experience of other web application (wordpress), so I think I understand most of its architecture.
If ever I can help, what is the real need? Get deb packages for which Matomo version and to which Debian destination? buster, bulleyes...
Regards,
Could anyone bring me to matomo team recommandations regarding apache configuration.
I don't know Apache well (I never used it), so take this with a grain of salt. But I think the only Apache setup things that are related to Matomo are handled by the .htaccess files that Matomo generates. So the only recommendation on how to set up your Apache instance that is exclusive to Matomo is: Make sure you have .htaccess files enabled in your config.
In nginx this is of course different and one can't generate config files. That's why I published https://github.com/matomo-org/matomo-nginx/ which should be enough to secure an nginx Matomo setup
For those interesting in testing a beta package of matomo 4.5.0 (as of today), you can try the one in the current pull request waiting for validation.
Here is a cook book for Bullseye (maybe also good for Buster):
- Set up your gpg credential to build the package, if you don't already have any
echo 'DEBEMAIL="[email protected]"
DEBFULLNAME="Your Name"
export DEBEMAIL DEBFULLNAME
' | tee -a ~/.bashrc
- Get the building dependancies
sudo apt install gnupg2 lintian debhelper devscripts build-essential fakeroot
- Get the sources and check for virus/trojan: this will show what I've changed from the official repo.
cd
git clone https://github.com/e-gaulue/matomo-package.git
cd matomo-package
git log
git show
- Import the matomo signature as the packager start with downloading the sources and checking them.
cd
wget http://builds.matomo.org/signature.asc
gpg --import signature.asc
- Compile: You can put whatever you want in the changelog file, as this will be YOUR package anyway.
cd matomo-package
make release
- Install
cd
sudo dpkg -i matomo_4.5.0-3_all.deb
- If the previous command complains about dependencies you can install them with
sudo apt install -f
Superb work.
I am extremely interested in this but I have a worry. The APT install method has been officially dropped as a supported install type which leaves me at a critical decision point.
If I commit to testing this I will incur an associated internal cost and then when ready a subsequent deployment cost.
However if the package is not official, tested and released in a timely manner, potentially stalling again in the future due to it being a "one man show not backed by Matomo Inc" I will be back to where we started.
Not to take away from your excellent work but...
could we have an official position statement from Matomo if they plan to back this and commit to keeping it maintained should community efforts need bolstering.
At home/fun/FOSS none of this matters but this now I am managing a bunch of commercial production installs which are stuck.
The Matomo team is currently not able to provide an official support any longer as we don't have someone who is familiar enough with the topic and don't have enough capacity to handle that.
@e-gaulue would you commit to provide required updates/changes needed for future releases? If so we could maybe reconsider the decision to drop official support.
