AppStream Ideas and Thoughts

James Antill james at fedoraproject.org
Wed Feb 16 12:05:14 PST 2011 

 I should probably ignore this like most of the other "distros. are the
problem" comments I see (esp. given the ML), but...

On Wed, 2011-02-16 at 19:25 +0100, Matthias Klumpp wrote:
> Interesting... So this is a social issue: You need to trust someone. But
> if you trust Debian, which does great in spreading the idea of free
> software, why won't you trust developer X, who is e.g. also a DD and
> free-software enthusiast?

 I think the first problem "you" (meaning zero-install, autopackage,
Klick, Lister, etc. etc.) have is that you have this very basic
definition of "trust" around packaging.

 Yes, in general, I'm happy to "trust" a lot of upstream developers to
write code and produce releases that _they think_ work.
 However, I would _not_ trust that a collection of those things would be
a usable distribution. In fact I'd expect it to be _at best_ as good as
rawhide, and I'd bet against it being that good.

 With distributions like RHEL, Debian, Ubuntu or Fedora. I'd trust (at
varying levels) all of them to:

1. Produce a usable distro. release.

2. Produce a set of policies that all the applications abide by.

3. Produce timely security updates, marked as such, that are tested
within their release. And, as much as possible, to not combine those
with normal updates.

4. Produce timely updates that are tested, and within a certain
threshold of change.

5. As a "group" watch the packages collectively, and thus. not allow a
single developer/package/etc. to make certain decisions.

6. Provide connectivity in the 99.999% range. 

7. Be transparent about what they are doing.

8. Random other stuff I haven't thought about right now.


...all based on their history over *mumble* number of years doing that.
 To repeat, I wouldn't trust random upstream developers to do #1 well
and I'd heavily bet against them on 2-8. To put it another way: If
developers could do those things well, and were willing to do so, they'd
at the very least be maintainers in Fedora/Debian/etc.

 This is why 15+ years later "nobody" is using stow, autopackage,
zero-install, etc. and Apple have recently got huge amounts of press for
going from "run .dmg files from a random developers website" (the
perfect developers dream) to "get approved apps. into our central
packaging repo." (far more centralized than even apt).
 Which is also why I generally don't respond, why spend an hour or more
writing an email when I can just wait 5-10 years?

> By signing all 3rd-party app "packages", the system administrator also
> could easily block all 3rd-party software, except something which is signed
> with e.g. Debian's or Google's key.

 A random sysadmin. has the spare time to do that for a _small_ number
of very important applications (I mean less than 10) ... maybe (and they
still don't want to). And they can do that now, with existing tools that
everybody is already using.

More information about the Distributions mailing list