AppStream Ideas and Thoughts
James Rhodes
jrhodes at redpointsoftware.com.au
Tue Feb 15 15:55:36 PST 2011
On Wed, Feb 16, 2011 at 6:21 AM, Jos Poortvliet <jos at opensuse.org> wrote:
> On 2011-02-14 Matthias wrote:
>> Hi!
>>
>> On Mon, 14 Feb 2011 16:18:55 -0200, Jos Poortvliet
> <snip>
>> Neither Listaller nor AppTool want to replace DEB/RPM, it's just an
>> extension, like Klik was. All these tools interact somehow with the native
>> package management to fetch dependencies etc. and make 3rd-party apps
>> usable.
>> The "unified package format" does not mean Fedora using DEB or Debian
>> using RPM, it means all distributions sharing one file format to distribute
>> 3rd-party apps, which includes FLOSS projects as well as proprietary
>> software like Google Earth, World of Goo or Angry Birds. I really hate the
>> binary installers of Google Earth etc., but if proprietary software
>> developers publish tarballs containibg statically-linked apps, it is not
>> really easy for ordinary end-users to get it working properly (and
>> integrating it into the system cannot be done with dirty, insecure tricks).
>> Also, ordinary end-users cannot do anything with a tarball containing just
>> sources they should "compile" to make an application working.
>
> Now I might be mistaken and I know it might be fighting windmills but I
> thought 'we' (= FOSS community) didn't like to make it too easy for users to
> install stuff from outside the safe distro repositories? For security,
> stability and performance reasons? In other words, a cross-distro packaging
> format means - what is the value of distributions, how can we share libraries,
> how do we guarantee security updates in dependencies, stuff like that starts
> biting. Isn't THAT the problem with cross-distro, always-working app
> installers like Klik?
What is the value of distributions? The maintainers get to pick and
choose how they want the end user's system to run (by default). I
think that's really the only value in distributions. Occasionally
distributions also contain custom software (such as YaST).
How can we share libraries? Same way you do now? I don't see the issue here.
How do we guarantee security updates in dependencies? If you mean how
do we ensure that updates are originating from the original source
(i.e. secure update process), then signing. If you mean how do you
ensure that security updates are applied to packages, then the same
way they are now; with an automatic update mechanism.
On Wed, Feb 16, 2011 at 3:16 AM, Matthias Klumpp <matthias at nlinux.org> wrote:
> Of course, the whole process needs to be secure, mabe only admins should
> be able to install (signed) software. And developers should get a tool like
> "lintian" or "rpmlint" to create sane software pkgs. Libraries should be
> out of scope for an approach like this.
If the user doesn't have root permissions, they can install a package
inside their user directory, for example to
~/.Applications/PackageName/Version/ (obviously this won't work for
some of the more core system packages).
Regards, James.
More information about the Distributions
mailing list