-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 04 Oct 2003 03:25:09 -0400, Andy Hanton wrote: What exactly is Sean's vision? It might be just me, but I don't think that became clear in the controversy due to misunderstandings (e.g. with regard to optional [versioned] build requirements). Maybe someone can sum up a few major flaws in current "RPM packaging" with regard to packagers and package users and outline the changes that are supposed to improve the situation. Btw, if you're asking for major efforts to make the life easier for a tiny group of users, who stick to an old distribution and who want to install the latest and greatest software in form of prebuilt packages nevertheless, I think that's a hopeless venture due to API and ABI changes. - -- Michael, who doesn't reply to top posts and complete quotes anymore.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 04 Oct 2003 11:51:34 -0400, Sean Middleditch wrote: This one? http://autopackage.org/faq.html Doesn't look promising in the middle of the FAQ. - -- Michael, who doesn't reply to top posts and complete quotes anymore.

Le sam 04/10/2003 à 19:58, Andy Hanton a écrit : And how do you trust the result ? RPMs at least are signed. -- Nicolas Mailhot

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 04 Oct 2003 13:58:32 -0400, Andy Hanton wrote: Treat me like a dumb user, please. In which way is that better than the current dependency on libgtk-x11-2.0.so.0? What problems is it supposed to fix? $ rpm --redhatprovides libgtk-x11-2.0.so.0 gtk2-2.2.1-4 We do have that feature already, don't we? - -- Michael, who doesn't reply to top posts and complete quotes anymore.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 04 Oct 2003 15:10:35 -0400, Andy Hanton wrote: So, in other words I would depend on arbitrary sites to supply prebuilt libraries rather than getting software from trusted community repositories? Would those prebuilt libraries be of the same poor quality than what is offered on the average upstream site? The average upstream site features contributed packages. Contributed by individuals. The same individual who would contribute their packages to a community project, provided that such a community project is available. Not clear at all. Why would I need that library? Why wouldn't it be found automatically when I install an application with e.g. Yum? Why hasn't anyone created a src.rpm for it? Aha, the software is complicated to install from source? There we have the real problem. Only what is popular or worthwhile gets packaged by someone. Everything else can be rebuilt from source. Ah, cross-distribution. *cough* Who makes sure that app A from site B and lib D from site E for distribution C work smoothly on distribution F where inter-library dependencies are satisfied with packages from site G? Where is the testing and quality assurance in this scenario? Isn't that what Fedora Extras tries to target? The chance for the community to package the popular stuff and maintain it as long as their is enough interest in it? Scary scenario. Even more scary when the application asks for superuser privileges in order to perform some ordinary integration tasks. The scenario gets threatening when the author of the application focuses on prebuilt binaries as primary distribution channel and neglects the source code level. Oh, and don't dare to report a bug to the author when you run a different distribution. - -- Michael, who doesn't reply to top posts and complete quotes anymore.

Le sam 04/10/2003 à 23:49, Havoc Pennington a écrit : Actually the smart thing would be to distribute apt/yum/up2date profiles that match an usage, and let them the package manager download the parts that are not installed yet and all second, third, fourth... -level dependencies. I'll be strongly suspicious of any application-level bundling. Upstream projects just do not care enough to get all peripheral stuff right. OTOH some way to specify weak user-level dependencies (like "my doc is in pdf - get yourself a pdf reader") would help many people ("hard" dependencies ie stuff that is required by the code to work being handled the usual rpm way). Cheers, -- Nicolas Mailhot

Le dim 05/10/2003 à 03:04, Havoc Pennington a écrit : Sure. I realised after posting that was exactly what anaconda already did at installation time;) -- Nicolas Mailhot

On Sat, 2003-10-11 at 18:22, Mike Hearn wrote: Statically linking isn't the answer proposed at all. Anyone trying to do that will make the situation *much* worse. I'm ASSuming Havoc meant bundling with as how many Windows apps do it - they come (metaphorically speaking) as a bundle of RPMs, and the dependencies are then installed as needed. With our world of up2date/yum/apt we don't need to bundle the dependencies. We just need to not keep breaking them so they stop working unless you recompile half the machine. i.e., if mydep 1.1 isn't API/ABI compatable with mydep 1.0, they must be coinstallable, and the library versions updated. LSB is just this, and many distros are LSB compliant these days. Those that can't keep a stable ABI simply need to reflect this in some meaningful way to both developers and users - soversions and co-installable data, big warning labels, etc. This sounds like it needs to be fixed; i.e., an easy way to disable that. I know apps linked against older libcs work on RH9 (usually, the occasional odd app fails, which is quite unfortunate). Which is good. The LSB just needs to define more packages. But that's just LSB. LSB is, again, most useful for commercial software. When talking open-source apps, we have a lot more leeway. Namely, the upstream devs can provide the "standard". Example, so long as the GTK devs don't break their excellent track record of sane API/ABI versioning, and so long as people package it properly (which, so far, is the case on RH/Fedora), software can rely on GTK. The same goes for any other dependency in which the upstream authors apply proper release techniques. LSB, I should note, also isn't for low-level system stuff. It's really for monolithic apps. I don't even see the point in installing something like, say, apache, as an LSB package - its not really the target audience. That would be interesting. The problem is, then, every single app that possibly exists in the application/dependency archive would be in the menues. Ick. While I understand the use cases, as I've said on the autopackage lists, and real Application Manager is needed (which I've some new ideas for, i'll post those to the ap list). Which isn't really possible. The best you could do is inform the user that the system doesn't *appear* to be using the app anymore (no users have a launcher for it, if you can even determine that easily) and let them optionally uninstall it. The same is true to libraries/dependencies - sure, normal users might not need them if no other packages are using them, but hackers/admins probably have a lot of stuff installed from source. So automatic dependency "garbage" collection isn't really feasible, at least not without lots and lots of user interaction and such. It could be useful for on-disk management, corporate deployment, CDs, etc. But probably not useful enough if the tools just become more intelligent; i.e., if I click on a package in Nautilus and redhat-install-packages sees I'm missing a dependency, it should try looking in the folder the main package is in to find them. That would make a lot of "off the 'net" RPM installations easier, for one. If the package could point to URLs that have a list of packages for dependency resolution, it would get even cooler (tho then GPG security and such would probably be more important - I can just see the "Trust content from Macromedia" dialogs and such one's accustomed to in Windows... but then, blindly trusting an entire distro which is community based and in which nearly anyone can eventually get access to upload packages, those incessant dialogs are probably a better approach...) yay standards! ;-) Fortunately, the file name of an RPM is completely arbitrary. In large collections with comps file (or whatever), "specific" naming is possible; but if I want to put an RPM of some single piece of software on my site, I'm quite free to call it anything. Hmm, a bit farther than I had in mind, but it would certainly work; one can imagine the "RPM Installer" Mozilla plugin. ;-) If we even get to the point tho where the user can click the website icon, and the Browser pops up a "Install Application?" dialog that downloads and installs without the glitz, we'd be a long way ahead of where we are now (click icon, get RPM, watch it not work, realize some goof made the libinsane1 on OS release 2 completely incompatible with libinsane1 on OS release 1, spend time figuring out whether the lib or the app is easier to rebuild, find out the rebuild needs tons of build dependencies which the tools don't bother to grab for you, etc. etc.). That would certainly be nifty. Really, all that would require a small .desktop-like file describing the package, and the mirror-net its on. The install app just finds a mirror, looks up the real package (and dependencies, possibly querying not only the app's mirror but also the distro's repository), etc. Heck, I think there are a couple (not nearly done) apps that do just this, minus the high-level of desktop integration. Agreed. Most of the responsibility has to lay with the upstream developers. If the authors of libfoobar are goofs and refuse to put the 3 seconds of effort forth to make their software at least co-installable with other versions, than any upstream dev who relies on libfoobar is just as guilty of bad practices. A good guide on packaging might help resolve a number of such situation. One of the biggest problems with RPMs isn't even that the software is actually incompatible, just that the packaging *makes* it incompatible; packages putting things in different locations, packages that conflict with each other in order to provide different optional featuresets (why in all the world should a user have to unisntall an app to add features? sounds dumb, but yet we have to do it many times, because make packages like someapp-nofeatures, someapp-feature1, someapp-feature2, someapp-allfeatures, etc. not necessary!) Evangelism on the importance of proper development practices could be useful, too. Probably the only place I've seen describing library versioning in detail is the innards of the libtool manual. No wonder lots of devs don't do it right, eh? Something like the war on drugs is needed: DARP, Developers Against Ramshackle Packages. ;-) -- Sean Middleditch <elanthis(a)awesomeplay.com&gt; AwesomePlay Productions, Inc.

Le dim 12/10/2003 à 17:56, Mike Hearn a écrit : Please keep unstalling/uninstalling out of menus. Windows only does it because for a long time they installation manager panel missed most apps (and still misses some of them). So people had to put uninstall links somewhere else. Really it's amazing how people forget history and comme to accept ugly workarounds as the natural way to do things. We don't need no windowish in-your-face uninstall solutions, we don't need popup eulas, change-install-location dialogs, here-is-the-disc-size-I-need-please-check windows, you-think-I'm-installed-but-check-my-20-pages-readme popups, don't-bother-with-permissions-and-run-everything-as-admin (I case people wonder - I've just documented the installation of an app that used a custom installer clearly written by a brainwashed monopolysoft user. Just documenting this single installation took as many pages as the ones devoted to updating the whole multi-hundred rpm system) Anyway I don't know why I bother - just do your thing and I'll watch HiG people shot it down. Sure - why use a single consistent working solution when you can let everyone reinvent incompatible wheels ? Well I can tell you we have *nothing* to learn from java packaging, quite the contrary. In fact the java world right now is a motherload of bad packaging examples. Developer education will *always* be a problem. Developing and packaging are just two different CS specialities (just like developing and QA). Some people will do both, most won't, expecting every single developer to be able to package things is just a recipe for bad packaging. Cheers, -- Nicolas Mailhot

Le dim 12/10/2003 à 23:05, Julien Olivier a écrit : I understood it this way too;) I just didn't want anyone to translate it into "java packaging is good" (which just proves you can have terrific developers and piss-poor packagers) Cheers, -- Nicolas Mailhot

On Sun, 2003-10-12 at 12:51, Nicolas Mailhot wrote: I think perhaps you aren't following Mike's intent - the Windows way, adding big menu options for "Uninstall", is not what he meant. More, when you context-click on an app in the menu, several options pop up (copy launcher, remove from menu, etc.) - one of those would (could) be "Uninstall application". Completely out of the way unless you're looking for it. In many cases, we *do* need some of those. We *do* need EULA support, for example, since applications I install often have them. Whether or not you think they're evil, others need an installer that supports them (versus the RPM way, which requires packagers to wrap the RPM in a shell script which I then have to run in a command line to open, agree to the EULA, and then install) as they use applications that have them, and need to continue doing so. Ya... let's keep this to technical facts, not "brainwashed Free Software user" paranoia. Thanks. ;-) Installation problems on Linux I've run into are almost always because of RPM. If RPMs usually supported more than on particular snapshot of a particular distro, if RPMs actually worked on all distros, and if RPM had abilities to ask users install questions, select software components, agree to legally-required EULAs (there's doubt that even the GPL is really valid if the user is never forced to agree to it, or even *see* it, to use the software), etc. then software developers probably wouldn't need to rely on hacked-up installers. As is, even most of the companies that ship RPMs generally need to wrap them in shell scripts or other hacks in order to "add" the features RPM denies them. Look at the Macromedia Flash, Adobe Acrobat Reader, or Sun Java installs (I think those are the ones that use wrapped RPMs), for example. That isn't the intent. The idea is to put the "single working solution" somewhere other than a monolithic GUI manager. Altho, personally, I still think the GUI manager is a necessity. There are *huge* differences, unfortunately, between an application running and applications spread all over the file system. Garbage collection in Java/C# doesn't happen across two apps connected over the network, yet application garbage collection would need that for mounted shares/volumes. Memory garbage collectors also have access to all objects in existence, and (in good implementations) know when object relationships are formed or broken - an application garbage collector would need to somehow find out whenever any reference to an app has changed. Memory collectors also don't support fancy memory tricks like "hidden" pointers and such, but an application garbage collector would need to know about "fancy tricks" like users using an app from the command line or a script and not .desktop files. Memory GC and application GC are really just two completely different things. Developers don't necessarily need to package. They *do* need to not be so boneheaded as to make packaging impossible. i.e., when the packager comes along and finds out that the only way to get "lite version" and "full version" of the application packaged is to make them conflict with each other, thus requiring a user to uninstall and reinstall the app to "enable" features, the packager should bring the issue up with the developer, who then should go, "oh, oops, will fix this!" and resolve the problem on his end, allowing the packager to make sane, working packagers that people besides l337 h4ck3r5 and sysadmins can install and use. As is now, the developer tends not to give a flying hoot (or just not know any better), the packager can't resolve the issue with the developer (or they themselves don't really understand the problem), and we end up with tons of packages that don't really work unless installed in one specific OS setup, when the moon is full, the stars are aligned properly, the wind is blowing from the south-southeast at 45 knots, and you've your ritual RPM body paint on with shell script incants written all over your forehead. Evangelism and education can help this. Simply not packaging brain-dead broken software helps too; or, at least, understand that packages of software like that should be the *exception*, not the rule. We'll probably always have a couple pieces of popular software written by dinks that think Linux should only be for the technologically elite and kept away from "dr00ling lusers," but hopefully we can keep that to a minimum. -- Sean Middleditch <elanthis(a)awesomeplay.com&gt; AwesomePlay Productions, Inc.

It in part varies by country. The GPL is a copyright license not a contract and that actually also restricts what it can do.

On Mon, 2003-10-13 at 12:01, Nicolas Mailhot wrote: <snip tons of yammering> Software components: Take a look at OOo, Mozilla, GNOME, etc. - a user installing these has to manually pick apart and selected packages. A user-friendly approach would, upon opening the installer, give them options to select among options - i.e., do I want just the browser, or the mailer as well, or the browser, mailer, calendar but not the chat program, etc. When we get into managing packages, the user will see a list of things like: mozilla-browser mozilla-mailnews mozilla-chat mozilla mozilla-nspr mozilla-nss etc. That's just insane. Those are all "Mozilla", just different sub-components. When you toss in things like virtual packages that exist solely to depend on everything (common in Debian, less common in RPMs), the user model *really* starts to suffer. What happens when an application spans multiple CDs? I have tons of software like that - games, music composition applications, etc. - how does RPM handle that? Oh, right, it *doesn't*. Unless the author breaks the app into multiple RPMs, which is (a) insane, and (b) pollutes the package space. Seriously, this is nothing but paranoid rambling. I'm not going to waste time trying to debate with a raving zealot - discussion over. -- Sean Middleditch <elanthis(a)awesomeplay.com&gt; AwesomePlay Productions, Inc.

Le dim 12/10/2003 à 00:22, Mike Hearn a écrit : Yeah and when you've done this you've also got virus, trojans, worms and general system instability. You can not trust just any random web page/gpg key/packager/whatever. Distributions provide quality packaging, software review, system consistency, etc (that's one of the reasons all the distributed software projects that were proposed won't ever fly IMHO - there is no way so many different actors with different priorities, backgrounds, deadlines, etc can agree on a common set of rules strong enough to maintain the overall quality a current distribution provides) Now in the past one could say distros do not cover a large enough spectrum. With projects like Fedora this is no longer true - you want your app in Fedora just submit a quality package and it'll get in. Then people will install it because they *trust* the Fedora signature/label. Making a quality package is *hard*. Computer systems are *complex*. And working outside of a big distribution-like project only makes packaging *harder*. Most of people who complain just want to offload crap packages on the user like in the windows world. As someone who is regularly called to clean up the damage these habits cause I respectfully disagree. It says a lot that an experimental system like Rawhide often behaves better than your average windows setup. If you want to enlarge the packaged perimeter just mount a packager group on which upstream projects can offload packaging problems. If you think distributions are the problem (like autopackage people obviously do) just get all people that think like you together and have them agree on a common distribution method. I predict that the best outcome will be yet another distribution (and the probable one utter failure - people who don't want to package stuff cleanly now won't do it tomorrow in another organisation) There is one point I agree with you - it'd be cool if upstream projects could more easily provide install profiles so people can use their stuff after reading the web site. And this can be done pretty easily by a comps.xml adaptation that would be fed to the local apt/yum/urpm that would then pull relevant package_s_ from the *distribution* repository. (and yes the package/profile separation is needed. I want to be able to provide a artist profile and a tester profile, for example, and they will both include the gimp package, because testers need to provide annotated screenshots too) And while there is room for gfx effects the core engine must be CLI/GUI independent. I can assure you after the second installation you quickly tire of the bloody widgets and yearn after something you can just run in a ssh window/crontab/script. People will probably want to collect all the profiles they commonly use on a floppy and feed all of them in a single operation to the package manager of their new computer. (think "modular kickstart") There is no easy way. You want to do distro-neutral packages ? Fine. Just be damn good. The day someone in one of your target distros release a better package than yours poof you've instantly lost part of your target audience. Remember : distro-specific packagers have this advantage they can use all kind of fun "extensions" when you can't. Realistically that means : 1. do not try to repackage stuff that's already in the distributions 2. follow strictly FHS and the parts of LSB that make sense - be stricter than the others packagers you'll compete with 3. package a large enough pool of interdependent software people won't be able to take "just one bit" and make it distro-specific easily 4. have a team with people that regularly use all target distros 5. use file names not package names as dependencies - distros will rename/split/merge packages but the FHS will force them to use the same file locations 6. use an apt+yum+urpmi repository to reach as much people as possible 7. whenever disto X has cool extension Y you want to use gently push Y for inclusion in the other target distributions Cheers, -- Nicolas Mailhot

Don't lose sight of the fact viruses and worms evolve (or are evolved) to target the fundamental weaknesses that work. Right now they tend to target tools like windows email because the mailer was a weak link, and the user too. When that ceases to be the weak link you'll see techniques change - as is happening with spyware for example. In the long term the user may not be the weak link either - SELinux type stuff lets the administrator shield users from many of the mistakes they would otherwise make. Alan

On Sun, 2003-10-12 at 00:40, Havoc Pennington wrote: Mmm. I have a feeling it simply replaces it with other types of hell. On MacOS X the glacial rollout of weak symbols mean that apps frequently depend on point releases of the whole OS. On Windows, the situation is somewhat better, but only because Microsoft release updates for OSs that are over 5 years old. Of course that's correct, but the problem is people have used tools like apt and see that they work well, and are convenient. They want them to work well all the time, instead of just some of the time. I think boosting the success rate of these types of tools is certainly doable. Right - I wasn't really meaning this, but parallel installability is clearly an educational issue. It's reasonable that RPM gets beat up a bit - this particular messenger sometimes gets it wrong (for instance when you install from source). Perhaps some of the blame lies with developers for going overboard with dependencies, but perhaps also it is up to us to technically manage this situation better (which I think can be done). thanks -mike

Le dim 05/10/2003 à 00:58, Alan Cox a écrit : Sure. But a srpm requires someone to document the build process. Allowing projects to directly provide binaries means you'll soon not be able to rebuild their stuff because their build scripts will rot in strange and wonderful ways, depend on undocumented build environments and anyway even if you manage to build them they will check their signature at runtime and refuse to run if they're not signed by the upstream project key. Which I'm sure the gcc people will love next time they want to release a new version since instead of pulling a RedHat they'll have to convince every single project the system use it's time to upgrade their build tools. (and I case someone thinks I'm overly pessimistic - this kind of stuff already exists. I met it. Every single aspect from the broken build system to the key check is already used by people who thought about auto-upload before the autoupdate project. And it's not even closed commercial stuff but pure FOSS) -- Nicolas Mailhot