package, package2, package3 naming-with-version exploit

Panu Matilainen pmatilai at laiskiainen.org
Thu Apr 4 18:29:17 UTC 2013 

On 04/04/2013 02:55 PM, Vít Ondruch wrote:
> Ok, so what is the purpose of version field than? Lets drop it, if
> nobody cares. You could remove a few lines in Fedora, depsolver could be
> dumber.

The version field provides one part of the sorting information (y is 
newer than x) within an identifying label (also known as "name") to the 
package management tools. The NEVRA information is human readable, but 
its target audience is actually computers. And like Florian already 
pointed out, rpm and the upper layer tools couldn't care less what the 
actual letters and numbers are. You could just as well use UUID's for 
package "name" and an unrelated, serially growing integer for the 
version and rpm, yum and friends wouldn't notice a thing. For the 
obligatory silly analogy: think of being able to use "goto <label>" 
instead of "goto <line-number>" in non-ancient programming languages.

> Yes, I am exaggerating here, but does it make sense to have package
> python3-3.3? Why we don't have python3-1.0? Where is the version 1.0 of
> python 3? Why we duplicating the version? Non of these question makes
> you think that we are doing something wrong? Actually we are again at
> the beginning, since this is how the thread started.

Take a look at 'rpm -qa' (or 'repoquery -qa') output, and ask yourself 
does ANYTHING in there "make sense"? Just a few random samples:

ipxe-roms-qemu-20120328-2.gitaac9718.fc18.noarch
libsmi-0.4.8-11.fc18.x86_64
btrfs-progs-0.20.rc1.20121017git91d9eec-1.fc18.x86_64
librsvg2-2.36.4-1.fc18.x86_64

My wife says C/C++ code looks like lots of dead spiders on the screen. I 
haven't asked what she thinks of rpm NEVRA's but I think you get the 
idea... the NEVRA is utter gibberish to somebody who's not reasonably 
well aware of rpm versioning and all. Whenever we present this junk to 
an end user, its game over already from usability POV.

 From technical perspective, there's zero need to change how 
multiversion packages work. Its a widely used (at least both in rpm and 
dpkg worlds) and well-understood mechanism to slap extra qualifiers at 
the end of the name to achieve that. If you want pretty, human 
consumable names and versions for things, that is an entirely different 
issue that could be addressed without breaking the whole world. Comps is 
one mechanism towards this, other possibilities could be adding separate 
"pretty name" (and maybe version too) tags to packages and present that 
to users when it exists. Or something.

	- Panu -

More information about the devel mailing list