(sorry, if this comes in double; i sent the same mail yesterday, but it seems it didn't make it (i did check the archives); so i'm re-sending via the webinterface)

hi,

it's summer here in europe, and students have left the campus. so - like every summer - I ponder on the idea of migrating our old mailman2 instance that has served us for the last twenty years to a new and shiny mailman3.

and - like always - i'm a bit unsure about the best way to proceed to find the optimum deployment strategy for a long-running (decades) medium-sized (our largest list has ~1800 members) installation. one of our primary objectives is receiving *security updates*. we also would like to stay on top of development (that is: use the latest and greatest *stable* mailman3 release).

in my heart i am a Debian person, so my mailman2 installation just used the Debian packages. the new deployment machine, will be Debian based as well.

now https://docs.mailman3.org/en/latest/install/install.html lists three options:

# Debian packages this is what I would normally pick, but: my past experience with mailman3 in Debian was... rather suboptimal. (my current Debian box running mailman3 is frozen at Debian/buster ("old-old-stable") because of mailman3).

i see that the packages in current Debian/stable ("bookworm"), are lagging slightly (3.3.8, rather than 3.3.9), though that's to be expected from a distro with stable releases. otoh, Debian/unstable still ships 3.3.8, which is a bit disappointing.

in any case, the really nice thing about (Debian-official) Debian packages is that they are typically

• stable
• guarantee an upgrade path between releases

Docker packages

this is of course the simplest from a deployment perspective, but then i'm a bit worried about the security perspective. in my perception, docker deployments tend to get installed and then forgotten, and while the host OS keeps getting updates, the docker images are just left as is. so they tend to get stale.

i would like to know how this is handled

# virtualenv

this is the deployment method recommended in the docs. however, it doesn't say why this method is any better than the others. also, the website says that it was last updated in 2019, so: is this recommendation still relevant?

personally i do not have much experience with deployment of long-running software in virtualenv, and i'm esp worried a bit when it comes to switching python releases (which will happen multiple times in the next few years)

i use virtualenv all the time for my pet projects, but there it doesn't matter much, if the venv breaks: i just delete it and start from scratch. but those are not long-running services.

so: what are the drawbacks, limitations, advantages and benefits of the various deployment methods?

i'd really like to make the switch this year!

gmfasdr IOhannes