sane dependencies -- a positive look at 'fix your packages'

Michael Schwendt ms-nospam-0306 at arcor.de
Sat Oct 4 20:29:27 UTC 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 04 Oct 2003 15:10:35 -0400, Andy Hanton wrote:

> It doesn't really help as much for common libraries. The idea is that
> library authors can maintain their own binaries.  Application authors
> can be sure that the end user's system will be able to find the library
> because the url is embedded in the binary.  

So, in other words I would depend on arbitrary sites to supply prebuilt
libraries rather than getting software from trusted community
repositories? Would those prebuilt libraries be of the same poor quality
than what is offered on the average upstream site? The average upstream
site features contributed packages. Contributed by individuals. The same
individual who would contribute their packages to a community project,
provided that such a community project is available.

> Try rpm --redhatprovides libenchant.so.1.0.0 on a redhat 9 box.
> /uri/0install/www.abisource.com/enchant/libenchant.so.1.0.0 
> would clearly be better in that case.  

Not clear at all. Why would I need that library? Why wouldn't it be
found automatically when I install an application with e.g. Yum? Why
hasn't anyone created a src.rpm for it? Aha, the software is complicated
to install from source? There we have the real problem.

> I think the idea that we can package all the dependencies that could
> ever exist is unrealistic. 

Only what is popular or worthwhile gets packaged by someone.
Everything else can be rebuilt from source.

> Even if we become like debian with 10,000
> packages that won't solve the cross distribution problem.

Ah, cross-distribution. *cough* Who makes sure that app A from site B
and lib D from site E for distribution C work smoothly on distribution
F where inter-library dependencies are satisfied with packages from
site G? Where is the testing and quality assurance in this scenario?

> You can't
> tell your grandmother who runs Suse to go to the web page and download
> an rpm because suse hasn't packaged all the dependencies.  

Isn't that what Fedora Extras tries to target? The chance for the
community to package the popular stuff and maintain it as long as
their is enough interest in it?

> With zero-install the user never actually uses a package
> management system.  
> 
> Here is how it works:
> 1.download an application from the author's web page
> 2. double click the archive to untar it
> 3. double-click the application and it runs

Scary scenario. Even more scary when the application asks for
superuser privileges in order to perform some ordinary integration
tasks.  The scenario gets threatening when the author of the
application focuses on prebuilt binaries as primary distribution
channel and neglects the source code level. Oh, and don't dare to
report a bug to the author when you run a different distribution. 

- -- 
Michael, who doesn't reply to top posts and complete quotes anymore.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/fy2n0iMVcrivHFQRApccAJ9rcYeRJspZfkbvqEXnU+vf1Gg7eQCeOC8s
VW4IsE0js3KqKQX3BdrZ0/g=
=kNEA
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list