Proposal to reduce anti-bundling requirements

Orion Poplawski orion at cora.nwra.com
Sat Sep 12 14:11:23 UTC 2015 

On 09/11/2015 06:11 PM, Stephen John Smoogen wrote:
> On 11 September 2015 at 16:41, Jóhann B. Guðmundsson <johannbg at gmail.com> wrote:
>>
>>
>> On 09/11/2015 09:09 PM, Orion Poplawski wrote:
>>>
>>> What does Fedora users gain with "dnf
>>> install rails" or "dnf install ipython" versus "gem install rails" and
>>> "pip
>>> install ipython"?
>>
>>
>> This indeed is very good question.
>>
>> I'm not sure how things are elsewhere in the world but in the case of gem's
>> on a rock in the middle of the north atlantic ocean , everybody is using
>> bundler with nobody wanting to go back to non existing or not current gem's
>> in distributions and or having to manually chase down components and resolve
>> their dependency's.
>>
>> They prefer spending that time actually hacking or drinking beer or both.
>>
>
> Depending on what the system is being used for the gain in having one
> package system is usually in "inventory control". RPM allows me to
> prove that the packages from it are installed and match the checksums
> (or when they don't if they are config files or not). Every out of
> band packaging requires me to figure out if that system has a
> signature tree and how to know if the python-gumdrop is the one I got
> from the original source or not.
>
> While most of this is important at say a bank, military, etc.. I have
> had to do this in the University system where a machine was broken
> into and we needed to make sure that other systems were not broken
> into. The reason being that the experiments would have to be started
> over from scratch and they would have probably lost their grant. The
> grad students in the lab would have probably also had major problems
> with their finalized thesis as it would have added years to getting it
> final. The chem lab project was ok because we could check that the php
> on the webserver hadn't been tampered with and the perl on the systems
> either.
>
> I believe that some of the ecosystem packagers have this ability and
> others do not. I expect that for most people the problems above aren't
> really a concern.. but then again most of them set their root password
> to 123456 if they can.
>

Thanks, that's a good point, and perhaps something to bring up with the 
pip/gem/etc folks.  There are also other tools to checksum an installed 
system so I don't think it's insurmountable to work around.


-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion at cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com

More information about the devel mailing list