Option (1) is not really an option -- as I said in the other task, those packages are horrible, a bigger maintenance burden, and they are also very different from everything else we use. Between (2) and (3) I think option (2) is the way to go here. This is what we have done in the past, and past experience shows that the extra maintenance burden isn't much. Note that at some point we'll have to take on maintenance for even jessie/stretch systems, to go with e.g. Puppet 5.

(update: @herron is in the process of backporting)

A first stab at Trusty packages for puppet 4.8.2 and dependencies (hiera, ruby-deep-merge) have been built on boron (in /var/cache/pbuilder/result/trusty-amd64/) and appear to be working after cursory testing (it installs and puppet runs) on puppet-4-trusty-[12].puppet.eqiad.wmflabs.

Testing so for has been using a local file apt source, and the packages throw a "cannot be authenticated" warning this way. Will something need to be done to sign these correctly beyond adding them to a proper repo with reprepro?

Also is there a testing repo somewhere that could be used for further validation?

In T182894#3841972, @herron wrote:

A first stab at Trusty packages for puppet 4.8.2 and dependencies (hiera, ruby-deep-merge) have been built on boron (in /var/cache/pbuilder/result/trusty-amd64/) and appear to be working after cursory testing (it installs and puppet runs) on puppet-4-trusty-[12].puppet.eqiad.wmflabs.

All your packages are no-change backports, so the builds seems fine (trusty and jessie are fairly close, so not surprising).

Bu you should rebuild with modified version numbers, it's confusing to see +bpo versions on trusty (and reprepro will probably stumble over the fact that different binaries with the same version are tracked).

You can extract the source package using "dpkg-source -x foo.dsc", then run "dch" to generate a new changelog entry (I suggest you simply append ~trusty1 to the original Debian versions, e.g. 1.3.1-1~trusty1). Changelog entry can be something like "No change backport for trusty" (or if you needed to make actual backport changes, please list them). This is useful since we might need to rebuild puppet in the future (we did this for security updates in the past).

Set the distribution line to "trusty-wikimedia".

Testing so for has been using a local file apt source, and the packages throw a "cannot be authenticated" warning this way. Will something need to be done to sign these correctly beyond adding them to a proper repo with reprepro?

We don't use signed uploads in our infrastructure (yet). You can copy the built files (source, debs and .changes file) to install1002.wikimedia.org. Then run

reprepro -C main include trusty-wikimedia foo.changes

Also is there a testing repo somewhere that could be used for further validation?

We have the experimental component (somewhat deprecated, but still exists), but for your purpose I suggest you copy the files to one of the ocg* hosts. They no longer run OCG, but they're still installed with trusty, so you can safely install the new packages with "dpkg -i foo.deb" and test general puppet operation before uploading to apt.wikimedia.org

Thanks @MoritzMuehlenhoff!

New packages have been built following this guidance, uploaded to apt.wikimedia.org and trusty hosts have been upgraded to the puppet 4 agent today.

Once T184017 is resolved I think we'll be done here!

This week @chasemp discovered an issue where puppet apply breaks on trusty hosts with Error: Evaluation Error: Error while evaluating a Function Call, uninitialized constant RGen::ECore::ELong. We traced this back the older version of ruby-rgen (dependency of the puppet package) that is available on trusty.

Upgrading to the jessie ruby-rgen package solved this issue, so ruby-rgen-0.7.0-1 has been backported from jessie to trusty and uploaded to apt.wikimedia.org.

Mentioned in SAL (#wikimedia-operations) [2018-01-18T22:36:50Z] <herron> added ruby-rgen-0.7.0-1 (backported package from jessie) to trusty-wikimedia apt repo (T182894)