Simplifying package installation (was: replacing XMMS)

Mon Apr 26 13:42:01 UTC 2004

On Mon, 26 Apr 2004 09:01:05 -0400 (EDT), duncan brown wrote:

> while i'm on this track, i think rpms need to be able to be installed by
> any user, but only into their own home dir and accessable by themselves
> only.  joe's logged into gnome and wants to install cd2ogg, but he doesn't
> have root access... sure, he could grab the .tar.gz and just put it in
> ~/bin and add that to his $PATH, but that's what we want to get away from.
>  he should have the ability to have rpm install the script and any
> dependencies that aren't already resident on the system into his own ~/bin
> or whatever directory.

First the software must be made fully relocatable and, for instance, find
its translation modules and not expect its data files in a location that
was hardcoded at build-time. And of course, it must ignore a global
instance installed into the system by the administrator and allow for
switching back and forth between local installation and system-wide
installation (e.g. in its configuration data).

> now, let's say that root installs the cdparanoia
> package a month after joe installs it into his userspace's rpm database. 
> the root rpm database checks the joe's rpm database (let's say
> ~/.myrpm.db)  to see if anyone else has cdparanoia installed and then
> either removes the rpm in joe's user space, or (as joe should have the
> option) leave it alone and let joe keep on using it.

Does this scale? And what about security flaws in the locally installed
packages?

> but we're not talking about redhat-install-packages.

No, we're not. But it illustrates some of the problems with random
packages downloaded of the Internet.

> fedora and extras don't have mono in their
> repositories, but the user wants to use it.   they should be able to just
> click a link on mono's site and have mono added to their semi-trusted list
> of places to get software.

Assume the following packages (
http://www.go-mono.com/archive/0.31/fedora-1-i386/ ) install cleanly in
Fedora Core 1 if they were contained within a repository and you could add
that repository easily to your favourite package utility.  One of the
Fedora Project's objectives is "Create an environment where third party
packages are easy to add and positive encouragement and support exists for
third party packaging." Common meta data for yum/apt and others are one
step on the way to making access to repositories easier. The jump from
a loose collection of binary rpm files offered at some web site to a
one-click installation is not a small one.

> i don't see how the simplicity of installing a piece of software on
> windows is an orange to the apple of linux's rpm/deb/etc.  and yeah, you
> get dependencies, but they're so RARE.  and they need to be able to be
> non-existant as far as the user having to do research on where to find it
> and the correct version for their system.  just because windows has a
> bug^H^H^Hfeature like gui windows notifying you of a dependency, that
> doesn't mean we need it too.

It's a bad comparison in that with packages created by arbitrary open
source software projects we face a different dependency scenario, in
particular if a package contains explicit dependencies added manually by
the packager, which do more damage than helping the user. For instance, a
simple version mismatch between the installed version of Python and the
required version of Python, or a different package name used on different
Linux distributions, and a package would refuse to install (and I don't
even cover cross-distribution package compatibility). Compare that with a
proprietary system.