AppStream Ideas and Thoughts
FlorianFesti
ffesti at redhat.com
Tue Feb 15 02:11:47 PST 2011
On 02/15/2011 09:54 AM, James Rhodes wrote:
> I know why package managers work the way they do; having everything in
> a central repository at first seems to be a great way to ensure that
> every software that the distribution wants to offer has the
> dependencies available for it, which for well-known open source
> software is fine. There's a high change that users will be able to
> find the software they want in the repository.
As you kinda admit getting the dependencies right is not trivial (There
are in fact some nicely NP-complete problems lurking there). A package
format alone does neither solve this nor does it integrate with the
distribution in more than adding the duplicates into their database. May
be some of this difficulties can me solved by leveraging the work
already done in the distributions but it still is not trivial.
There are a couple of other reasons for why distributions look like the
way they do, that need to be taking into account (list does not claim
completeness):
Have someone taking care of every component that got packaged. How can a
user expect that the vendor is capable of taking care of all issues that
may emerge in the libraries they have bundled. The distributions are
assigning some one to every library and they have a separate security
response team to make sure the maintainers do their job.
Is such a packaged world the amount of data need for updating a
(compromised) library is enormous. This basically shuts down updates for
everything but the most urgent exploits and even they generate an ugly
amount fallout - especially as these updates come in one big chunk
(think about an exploit in zlib).
The distributions are a trusted third party that makes sure that the
software they get from upstream is not malicious. Sure vendors with a
strong brand don't need a third party (e.g. the adobe repositories). But
the target audience of such package formats typically don't have such a
brand.
The knowhow of good packaging and package maintenance does not scale
down very well. There is a serious amount of general knowledge and
continuous work needed. This is significantly easier within a big
projects dedicated to this task than on your own. No matter how good
your tools are they are still putting an pretty big burden onto the
third party vendors (have a look at the rpms they build).
I think the overall approach is flawed. If I were interested in this
topic I'd use the SUSE build system tools or something similar and offer
a service to create packages for all distros. May be charge a fee for
closed source applications or offer a build system as an appliance or
cloud image. Then setup an repository or a repository list that makes it
easy for users to subscribe.
Florian
More information about the Distributions
mailing list