Batis - XDG-based packaging for Linux desktop apps

Jasper St. Pierre jstpierre at mecheye.net
Fri Nov 20 13:01:13 PST 2015 

Currently, the security model of Linux systems is "distro verifies
security and adds to their own repo", with, of course, the step of
"user trusts distro".

The security model of Batis seems to be "user trusts application developer"

The security model of xdg-app is "user trusts the sandbox mechanism".

Even without that, there are difficult social problems to solve. The
problem with tarball-based distribution is that applications are built
for a specific environment. So an application built on Debian will
probably assume some form of Debian-isms.

Most vendors solve this problem by shipping an environment with their
system, or by explicitly saying "we work and test within this
environment, and anything else is unsupported". Sometimes a
combination of both.

Steam does this -- they ship a stripped down Ubuntu as their
environment. xdg-app does something similar, only it also allows
having multiple environments (called "runtimes") on your system, each
deduplicated.

Batis doesn't seem to attempt to solve this problem, from what I can
tell. That's disappointing.

On Fri, Nov 20, 2015 at 12:54 PM, Thomas Kluyver <thomas at kluyver.me.uk> wrote:
> On Fri, Nov 20, 2015, at 08:09 PM, Jasper St. Pierre wrote:
>> I'm worried. We have xdg-app, we have batis, and I learned that the
>> KDE people are working on their own thing as well.
>
> I haven't heard about the KDE project in this space - is there any
> website for that?
>
> I have looked at xdg-app before, and it looks interesting, but it also
> looks an order of magnitude more ambitious and complex than what I'm
> doing. The homepage for it talks a lot about sandboxing technologies,
> and something called OSTree, which is apparently "git for operating
> system binaries". That's fine for keen Linux desktop developers like the
> GNOME team, but I find it hard to imagine cross-platform application
> developers, who may not even run Linux day to day, figuring it all out.
> Batis is supposed to be a straightforward step up from distributing
> plain tarballs.
>
> Subuser (http://subuser.org/) is yet another approach to distributing
> applications.
>
>> Could whoever is working on these systems try to collaborate and agree
>> on some common goals? The code between these systems might be
>> different, but I think more interoperability and collaboration would
>> be appreciated.
>
> That's a worthy aim, but I think there are simply too many different
> ideas and priorities out there. For instance, sandboxing applications is
> clearly a primary concern for xdg-app, whereas it's explicitly something
> I'm not trying to tackle.
>
> Bastien:
>> No container means no sandboxing. As far as I'm concerned, that makes
>> it not be a realistic option for the future of the Linux desktop.
>
> I'm aiming at the present of the Linux desktop, not the future. ;-)
>
> In principle, sure, I'd love a sandbox. In practice, I download code and
> run it without a sandbox practically every day, whether it's from PyPI,
> from Ubuntu PPAs, or just downloading tarballs from application
> websites. I don't think application developers are going to bother with
> sandboxing technology until that is *the way* to distribute applications
> on Linux, for all distributions and all desktops. And that's at least a
> few years away.
>
> Also, I'm not sure the Linux desktop has much of a future unless the
> situation improves sooner. The number of Linux desktop users I know is
> dwindling as they convert to Mac. Programming conferences, even where
> open source software plays a big part, are now a sea of Macbooks. We
> need bigger plans like sandboxing technology, but we also need something
> to move the status quo forwards.
>
>> Right now, Batis looks like "another package format" to me, nothing else.
>
> It is another package format! But for all the applications out there
> that just offer Linux users tarballs, they can use this to build their
> package without losing any flexibility, and both developer and user gain
> some convenience. And for the applications that rely on Linux distros
> for packaging, maybe this makes it simple enough to package themselves,
> so that users can get up to date versions.
>
> Thomas



-- 
  Jasper

More information about the xdg mailing list