Proposal to reduce anti-bundling requirements

[Stephen John Smoogen]

On 12 September 2015 at 08:11, Orion Poplawski <orion at cora.nwra.com> wrote:
> On 09/11/2015 06:11 PM, Stephen John Smoogen wrote:
>>
>> On 11 September 2015 at 16:41, Jóhann B. Guðmundsson <johannbg at gmail.com>
>> wrote:
>>>
>>>
>>>
>>> On 09/11/2015 09:09 PM, Orion Poplawski wrote:
>>>>
>>>>
>>>> What does Fedora users gain with "dnf
>>>> install rails" or "dnf install ipython" versus "gem install rails" and
>>>> "pip
>>>> install ipython"?
>>>
>>>
>>>
>>> This indeed is very good question.
>>>
>>> I'm not sure how things are elsewhere in the world but in the case of
>>> gem's
>>> on a rock in the middle of the north atlantic ocean , everybody is using
>>> bundler with nobody wanting to go back to non existing or not current
>>> gem's
>>> in distributions and or having to manually chase down components and
>>> resolve
>>> their dependency's.
>>>
>>> They prefer spending that time actually hacking or drinking beer or both.
>>>
>>
>> Depending on what the system is being used for the gain in having one
>> package system is usually in "inventory control". RPM allows me to
>> prove that the packages from it are installed and match the checksums
>> (or when they don't if they are config files or not). Every out of
>> band packaging requires me to figure out if that system has a
>> signature tree and how to know if the python-gumdrop is the one I got
>> from the original source or not.
>>
>> While most of this is important at say a bank, military, etc.. I have
>> had to do this in the University system where a machine was broken
>> into and we needed to make sure that other systems were not broken
>> into. The reason being that the experiments would have to be started
>> over from scratch and they would have probably lost their grant. The
>> grad students in the lab would have probably also had major problems
>> with their finalized thesis as it would have added years to getting it
>> final. The chem lab project was ok because we could check that the php
>> on the webserver hadn't been tampered with and the perl on the systems
>> either.
>>
>> I believe that some of the ecosystem packagers have this ability and
>> others do not. I expect that for most people the problems above aren't
>> really a concern.. but then again most of them set their root password
>> to 123456 if they can.
>>
>
> Thanks, that's a good point, and perhaps something to bring up with the
> pip/gem/etc folks.  There are also other tools to checksum an installed
> system so I don't think it's insurmountable to work around.
>

It has been brought up multiple times with each of the groups. It is
usually seen as a bunch of complexity that they do not want to add to
the system at this time. And it is also something that turns out can't
be retrofitted in without major changes in the ecosystem so ends up
never getting added. [There are multiple summaries of this in lwn.net
where various people have tilted this windmill a lot of times.] Some
of the problems are because the archive method used can't have
signatures in it (Zip and tar for a LOOONG time). Some of the issues
is that infrastructure has to be put in place.. and the third problem
is that it isn't a problem that most of the people writing with have
to deal with until it is too late. https://xkcd.com/1539/

-- 
Stephen J Smoogen.