Slashdot Mirror

← Back to Stories (view on slashdot.org)

Binary Package Formats Compared

Posted by michael on from the one-deb-to-bind-them dept.

jjaimon writes "There is a document on different package formats used in Linux/Unix systems. Worth reading." Another reader sends in this guide to creating Debian packages which seems apropos here.

15 of 292 comments (clear)

  1. 5 years old! by spotter · · Score: 5, Informative

    Joey Hess created that document (at least the first revision) around 1998 IIRC, so it's not so much new news (guessing it's been posted here before, but probably around then as well)

  2. RPMs, an' all. by caluml · · Score: 5, Informative
    How to roll your own RPMs. Very useful. You can open up a package, say postfix, or mozilla, customise the config files for your organisation, and re-make it. Then you can just install at your leisure.

    Best thing about RPMs? GPG signatures built in. Try rpm -K whatever-x.x.x.rpm next time. Second best thing? rpm -Va.

    --
    Get your own free personal location tracker
  3. Re:Binary packages: Security suicide by GammaTau · · Score: 4, Informative

    The binary distributions usually come with a way to compile your own binary packages if you wish to inspect the source code. Just download the source RPMs or use "apt-get source". The "binary distributions" are generally binary and source distributions where you can choose whether you use prepackaged binaries or compile your own.

  4. Technically... by serial+frame · · Score: 4, Informative
    From a technical standpoint, I find that creating a Debian package would be far easier than creating a Red Hat package. Essentially, a packager does not require any special tools to create a package; all one needs is ar, tar, and gzip, and a text editor to write the package control data. This feature-by-design allows poor ol' me, without any Debian machines, to create packages, assuming a similar development environment and libraries as the Debian environment I'm targeting (which really should not be hard, provided the libraries I use are of the same version).

    Similarly, I could install a Debian binary package if that were all that existed for my particular environment, with a simple

    $ ar p data.tar.gz package-arch.deb | (cd /; tar -p -zxf -)

    (I digress, simple may be relative)

    On the other hand, since RPMs have a special binary header, the lazy would be forced to install RPM and Berkeley DB on non-Red Hat-machines in order to build an RPM package. Though it is possible to extract the gzip'ed+cpio'ed data in an RPM without using rpm.

    So, in my view, Debian has a bit of an upper hand in simplicity, from a technical standpoint, but not by much.
    --

    -
    And the Angel said unto me, "These are the cries of the carrots! The cries of the carrots!"
  5. Re:Ah yes, packaging by dissy · · Score: 4, Informative

    > The TGZ packaging scheme (also mentioned in the article, along with RPM and DEB)
    > just... Well... Sucks.

    Not intended as an attack aginst your comment (You are fully correct, it sucks) but to clarify a point: .tgz is not really a package format. .tgz (.tar.gz, or a compressed tape-archive) is no more a binary package format than .zip is for windows.

    Slackware created a rather elegant hack at the time, of having a /package/install.sh script in the tarfile which is run with a bash shell after the files are extracted to do any command based setup, but that is it.

    Imagine if you will, a .zip file that states 'uncompress this file exactly here C:\windows\system\whatever\foo.bin '
    That is all a .tgz can do.

    This is why it supports no dependencys or checking, because its just an archive file.

    Technically speaking, this isnt a package format as much as a creative way to run a shell script after extracting some files.

    * I realize you were just replying to the articles claim that it is a package format, and from your own experences. I just wanted to explain why your experences sucked... It was more of a design flaw to use an archive as a package format, then the package format sucks.
    From an archive stand point, .zip and .tgz do great.

  6. Re:LINUX needs to tell apps where they live! by leviramsey · · Score: 5, Informative

    RPM's are relocatable (at least most, if not all of the packages Mandrake distributes are; hardcoded directories are against Mdk policy and caught by rpmlint). Just edit your .rpmmacros and set macros like %{bindir}, %{libdir}, etc.

  7. Slashdotted..... by cansecofan22 · · Score: 3, Informative

    Here is the link to googles cache of the site:
    CLICK HERE

    --
    "If ignorance is bliss, why aren't there more happy people in the world?"
  8. Re:Binary packages: Security suicide by Anonymous Coward · · Score: 1, Informative

    This is why debs are signed. Run MD5 on the deb you download and compare it to the one that Debian shows. If they're not the same, delete the package. Don't trust the Debian packagers? Then why the hell are you using their software?

  9. Binary packages don't mix with source packages. by arcanumas · · Score: 2, Informative
    The article must be slashdoted because i can't get it.

    The RPM/DEb ideas are really good. The main problem i have however , and don't really know how can be solved is combining binary packages with source code packages (eg. when you compile you own X). When the time comes and you want to update , let say Libc, then you will be unable to do so because the dependecies include almost every package.
    Or when you compile a program that is listed as a dependency to another program , you can not install that other program because compiling from source code does not update the RPM database.

    It seems that binary packages are only good when you stick to what your vendor offers you.

    Using --nodeps is not the solutions because it defeats the whole idea of depencdency tracking.

    --
    Slashdot Sig. version 0.1alpha. Use at your own risk.
  10. RPM is best because of the support by yajacuk · · Score: 1, Informative

    I have only recently come across the freshrpms.net site, and I have been amazed at the work that has been there. The site helps the user to find, from a list of supported packages, the most recently rpm packages available for their systems. This site along with rpmfind.net, and tuxfind.net is what makes the RPM packaging system so successful.

    I have on the past thought about changing distros, from Red Hat to lets say SUSE, Mandrake, Conectiva, etc, but I haven't mainly because of their support (at the time) for rpm packages was not very good.

    Is RPM the best solution for the person who is looking to install software on their Linux box? I have my complaints, but since when does the best solution for a problem is the one most suited for the job?

  11. Re:Installing from source can tend to be easier... by Q2Serpent · · Score: 2, Informative

    I'll bite.

    For a desktop linux distribution, I run Mandrake. Currently, I'm running Mandrake 9.1.

    Let's say that today, I want to install a common package that I don't have, but want to use, like kismet, the wireless sniffer (http://www.kismetwireless.net).

    So, this is what I do:

    # urpmi kismet

    and how long does it take?

    # time urpmi kismet
    ftp://ftp.club-internet.fr/pub/unix/linux/ distribu tions/Mandrake/9.1/contrib/RPMS/kismet-2.8.1-2mdk. i586.rpm
    installing /var/cache/urpmi/rpms/kismet-2.8.1-2mdk.i586.rpm

    Preparing...
    (Lameness filter hashes)
    1:kismet
    (Lameness filter hashes)
    3.61user 1.13system 0:28.03elapsed 16%CPU

    Yeah, that's 28 seconds.

    Now you, compile it from source. How long did it take?

    Now, I realize that kismet is something that someone else packaged up specifically for Mandrake 9.1, and it happens to be in the contrib section on a mirror for me. But, so is tons of other *common* software, and it's all that easy to install (yet, full dependencies included).

    Of course, if I want to install something that isn't built for Mandrake 9.1, I can compile it from source just like you. But that's not slower either. In fact, if I spend an extra few minutes making an RPM out of it (granted some sources are harder to make into RPMs quickly), I can not only install it easily on this and any other Mandrake 9.1 machine I want it on, but I can also uninstall it, and upgrade it, with full dependency checking.

    Compile everything from source? Hah!

  12. Where Is that Lib. by ratfynk · · Score: 2, Informative
    Problems with package formats is the endless failed dependancy problems caused between different distros. Take a simple little apps like Kmol, a good simple little mol wieght calculator, it will run fine if you use the usual sane kde lib paths and do not suffer from rpm obfuscation disease. So I just make darn sure I read the deps to ./configure --with before I compile from source. What I find rather disturbing is that good freeware is being made difficult to use by the constant path alterations by the major Linux distros RedHat and Mandrake. Another great example is Kstars a great fun astronomy app it runs like crap when installed in rpm binary format, but can really smoke with it installed correctly in KDE3 Slackware.

    The constant changes, in path structure in RedHat even between close number releases is not a good thing. It is more akin to a Microsoft like tactic than sensible advancement of an OS.

    Perhaps a killer app for linux would be a Pathmaker that reads dependancy requirements goes out and checks the install paths before you ./config. Similar to gdb but easier to step through. Then it could help identify and rewrite any path errors in the source for the user. If the software determines that you do not have a required library then it could help the user to install or see if installing it might cause havock.

    The current state of free software for Linux is becoming more and more difficult for the ordinary user to deal with. A logical tool designed to help the ordinary user to use source would sure be great. There are great dev tools in Kde and Gnome but there is a severe lack of a sensible integated install tool for non-coding users.

    --
    OH THE SHAME I fell off the wagon and use sigs again!
  13. what a day to post this by joey · · Score: 5, Informative

    I (author) am currently enroute to Norway, only found out I was slashdotted in the airport. I don't really understand why they posted it today, and not some time in the past 5+ years.. Anyway, I will respond to anything worth responding to sometime later.

    --
    see shy jo
  14. Re:Binary packages: Security suicide by Anonymous Coward · · Score: 1, Informative

    > Why? A compiler is only a translator. How is the ability to translate an arbitrary C program into assembly going to aid an attacker? The attacker could just as easily precompile the program themselves.

    ...unless the attacker's computer doesn't have the same architecture as the target machine. Linux and the *BSDs all run on a wide variety of platforms; if you were making a max-damage virus, being able to transport the source kit to the targets and make the executable locally, regardless of architecture, would be a good feature.

  15. Re: FYI, installing RPM's on Debian by raboofje · · Score: 2, Informative
    Debian includes the 'alien' tool which:

    Alien allows you to convert LSB, Red Hat, Stampede and Slackware Packages into Debian packages, which can be installed with dpkg

    Not sure how well it handles dependencies and such, though.