sane dependencies -- a positive look at 'fix your packages'

Mike Hearn mike at theoretic.com
Sun Oct 12 13:54:29 UTC 2003 

On Sun, 2003-10-12 at 00:40, Nicolas Mailhot wrote:
> Yeah and when you've done this you've also got virus, trojans, worms and
> general system instability.

Consider: somebody wishes to play a game. It is written in C. There is
no package for their distribution. They can either:

a) Not play it.
b) Create a package, submit it to Fedora, ram it through the QA process
etc
c) Install from source and just play it.

Realistically, the vast majority will choose (c), and this is the
situation we are in now. It's really easy to get viruses, worms and
trojans into a system using source packages - a typical configure script
can be >100,000 lines long. So, not having a package at all is probably
more harmful in this respect than having a binary package produced by
the team that made the game.

> You can not trust just any random web page/gpg key/packager/whatever.

Well, people can and do every day. The number of people who get
viruses/worms/whatever from bad installers on Windows is really low - it
almost invariably comes in through email or spyware in the apps itself.

Fedora QA does not actually audit the app obviously, just the package,
so it won't catch spyware embedded in the app.

> Now in the past one could say distros do not cover a large enough
> spectrum. With projects like Fedora this is no longer true - you want
> your app in Fedora just submit a quality package and it'll get in.

99% of users cannot, will not package things. They will install things
in the easiest way possible, or leave the platform altogether if it's
too hard. Fedora cannot and will not package every piece of software in
the world, and keep it at the latest version. Debian has never managed
it, I see no reason to believe this time will be any different.

> Making a quality package is *hard*. Computer systems are *complex*. And
> working outside of a big distribution-like project only makes packaging
> *harder*.

Writing quality software is far harder than writing quality packages,
yet somehow people manage. I don't see any reason why the same people
who create the software in the first place (and presumably the website
and documentation) cannot also create quality packages. Of course you
will get bad packages just as you get bad software, but this is life. 

> If you think distributions are the problem (like autopackage people
> obviously do)

No, I don't know why you think that. We think distributions attempting
to package every piece of software they can is a problem, because it
doesn't scale. Windows and MacOS do not try this, neither should we.
Packaging is as much an integral part of building software as writing
documentation, test cases or the website is - there's no reason for it
to be separated.

> There is one point I agree with you - it'd be cool if upstream projects
> could more easily provide install profiles so people can use their stuff
> after reading the web site. And this can be done pretty easily by a
> comps.xml adaptation that would be fed to the local apt/yum/urpm that
> would then pull relevant package_s_ from the *distribution* repository.

And if it isn't there? The user is still screwed. Worse, you get a bent
market - people will use Red Hat, Debian, SuSE or whatever not because
they are the best, but because there are more packages available for
that distribution. Clearly this is not desirable - look at the problems
caused by the apps market being distorted.

> And while there is room for gfx effects the core engine must be CLI/GUI
> independent. 

Sure. It already is.

> There is no easy way.
> You want to do distro-neutral packages ? Fine.
> Just be damn good.
> The day someone in one of your target distros release a better package
> than yours poof you've instantly lost part of your target audience.
> 
> Remember : distro-specific packagers have this advantage they can use
> all kind of fun "extensions" when you can't.

Sure, and this is acknowledged in the FAQ - I'm not saying
distro-specific packages are bad, just that *only* having distro
packages is bad. If somebody wants to produce a Fedora only package that
uses cool extensions, more power to them - I'll probably use it.

thanks -mike

More information about the fedora-devel-list mailing list