Binary Package Formats Compared

jjaimon writes "There is a document on different package formats used in Linux/Unix systems. Worth reading." Another reader sends in this guide to creating Debian packages which seems apropos here.

Good God, You're starting a flamewar!

[Trigun]

Why don't you just ask what everyone's favourite distro is?

Apt-get, no emerge, no make world, ARRRGH!

Re:Good God, You're starting a flamewar!

[transient]

Just wait until the Fink users show up. They'll be flaming about their package manager and their Macs!

Typed on my PowerBook, BTW ;-)

File dependencies

[spiney75]

...considered a gross misfeature? Count me in.

Slackware packages

[argan0n]

No matter how many "packages" I see. Still love slack-packs the best.

Come with everything you need, esp created to make you learn what the hell your doing before you do it.

Hmmm...

[wbav]

It seems to me, if you want to cover everything, you would put a debian package inside a RPM.

Why? I have no clue, but you could if you wanted all the features. Kind of like putting a roll bar into a SUV, so that you can start amature racing.

Re:Hmmm...

[discogravy]

a mixed bag package manager exists: There's apt-rpm for rpm based distros; considering rpm's ubiquity, it's a great thing for users who don't want to use anything but RPM and want the advantages of APT-GET (which are many,) but other systems' use of different packaging (debs, source distros, stuff like slackware which is AFAIK not automatic at all, etc) is one of the things that gives linux/bsd it's strength. One of MS's weak points is security, and it's a weak point for them because a) they have to make their package-equivalents fit w/ very different systems (win 9x to XP) and b) their very ubiquity makes them an easy target.

Outlook-launched virii would not have the effect they DO have if not for the fact that everybody and their mom USES outlook/OE etc. If all the distros used DEB or RPM (for e.g.,) it'd be another fixed spot that attackers can try to concentrate on. As it is, you can't just compile an RPM and assume that any user on a linux system CAN run it. Debian users without alien would be SOL.

Re:counterproductive

[ae0nflx]

It is silly for us to ignore such a large divide in our community though. It exists, therefore we should look at it in depth so we can improve it and better the community as a whole. We shouldn't set off a battle cry for the entire community to come together if that's not really what's going to happen, at least not in the reality that i see. but then again my personal reality distortion field is out of whack this week.

The distroes are quite divided. How 'bout we look at what is specific to each distro so people can chose which is best for them. That is a better way to garner support from the outside community, doncha think? Don't leave them in the dark, that's what scares people away from Linux.

Interesting...

[slackr]

First time I've ever seen guys compare packages and size doesn't seem to matter.

Not compared: my favorite package

Re:Interesting...

[KillerHamster]

First time I've ever seen guys compare packages and size doesn't seem to matter.

From what I hear, it only matters to women, and we all know how many of them hang around here...

Re:Interesting...

[zCyl]

*Sound of Crickets*

Whats the point?

[ePhil_One]

I'm just not sure what the point of this is.

While at first glance it seems heavily slanted towards Debian's .deb packages (Its first and contains more "YES"'s than the competition), as a developer I'd be far more concerned with basics like "market penetration" than whether it allows me to assign my package a "priority" over other packages.

I suppose it might be of use to folks building their own distribution, but I expect thats a pretty short list.

But personally, I tend to grab the source when I'm adding something that RedHat didn't include (or seems woefully out of date)

Re:Whats the point?

[qtp]

as a developer I'd be far more concerned with basics like "market penetration"

If everyone thought like that, we'd all be using Windows.

Deb vs RPM

[GoRK]

I'm sure this will erupt into a huge flamewar like the last time it was posted when all it boils down to is that it doesn't really matter much to end users about the package format as long as the installation and upgrades are made easy. For me, aptitude/apt with .deb packages has proven easiest, but a lot of people like apt with RPM or RedCarpet or rpmfind or whatever else is out there. Lindows users use the 'one-click' install thing not even caring that there are .deb's behind the scene.

Part of the reason, I think that the deb format has always seemed to hold together really well is that most all of teh deb using distributions are so tightly integrated with the main debian distribution that packages are always totoally interchangeable (and are very good to notify you when they will not work.)

RPM on the other hand is adopted by many different and sligtly incompatible distributions that often finding the libraries and applications you want to install is difficult not because RPM's are hard to find but because RPM's that work in your current setup are hard to find.

This is simply why the management tool(s) on both ends (creating packages and maintaining installed packages) matter way more than the package formats themselves. Deb's are very compicated but sometimes easier to deal with because of all the good debhelper tools. RPM's are most often more 'hand-crafted', but they are a lot easier to create from scratch for many people.

The thing I really hate about deb's is the lack of signature verification. It's absolutely central to the development/upload/build process but until very recent efforts has been a total pain to use on the installation front. There is no good reason for this either.

~GoRK

Re:Deb vs RPM

[raboofje]

With respect to signature verification, don't the 'debsig-verify' and 'debian-keyring' packages provide this functionality?

I haven't used it on debian itself, but I know adamantix (a security-oriented distro, not entirely unlike SE Linux, based on debian) uses this to verify the downloaded packages.

Re:Deb vs RPM

[GoRK]

Yes, but it has never happened 'by default' using standard tools. With the sheer number of mirror sites Debian relies on, it really is a big security risk -- since you might be getting your distribution 'third-hand' (ie from a mirror of a mirror) but the site is still labelled as an official channel.

Plus, a lot of the packages in the standard distribution don't get signed in this way yet. Thankfully, that's starting to change, and the next release of stable (sarge) may at least include an option to turn on signature verification.

APT (DEB) vs ??? (RPM) again.

[Speare]

There are different levels of package management which often confuses the newcomer into believing (dogmatically) that one is better than the other.

The installable packages themselves have to have flexible dependency markings and coherent version markings. The low-level package tool has to be able to install and uninstall packages cleanly and repeatably. Seems like the dpkg/deb suite and the rpm suite are quite comparable here.

The package manager has to be able to build a requirements tree for a desired package, and then fetch all of the required packages to fulfill those dependencies on the local system. It should offer trust or signature verification to ensure only trusted repositories and trusted packages are used. The apt tool seems to be cross-platform, while non-Debian distros often spin their own service model here: up2date, Red Carpet, and whatever Mandrake and Lindows offer are each commercialized with some amount of sample access.

Lastly, the most important criteria, is the repository itself: it should contain packages which are clean and trustworthy. There have been cracking incidents, and there will be more. The quality of code between distro-produced packages and externally-produced packages can be as different as night and day. The package's meta-data and manifesting information can be crap, or it can be carefully constructed. The embedded installation scripts can be trivially exploitable or they can be carefully scrutinized against unexpected results.

Even if your package format is cool, and your package manager is cool, consider the repository. If the repository is not secure and offers poorly tested packages, many folks are going to unfairly blame it on the tools.

Re:APT (DEB) vs ??? (RPM) again.

[arose]

Since when is urpmi (Mandrake's RPM tool) commercialized?

Re:APT (DEB) vs ??? (RPM) again.

[Realistic_Dragon]

This is where Gentoo seems to really win out - IME the Gentoo source (soon to be source+package) repository seems to be second to none. It's well organised, easy to search, centralised, always up to date and very very fast.

Re:APT (DEB) vs ??? (RPM) again.

[fo0bar]

While I agree with your statements, I just thought I'd butt in and fill in the "???" blank: up2date. Yes, it requires an RHN subscription (but if you're seriously using a redhat distro, $5/mo (1yr@$60) is not the end of the world), but in its basic function, it performs the way apt-get or emerge does. "up2date evolution" will grab evolution plus all of its dependencies, and will block you if you have any conflicts.

My biggest gripe is not the commercial aspect of it, but it would be nice if you could add secondary up2date servers, or if redhat released an officially-supported up2date server so you can manage a bunch of redhat machines without having to go directly to redhat's up2date server for each machine. (There is a program called "current" that mimics most of the up2date server functionality, but it's not perfect.)

Re:APT (DEB) vs ??? (RPM) again.

[Speare]

If you were bothered to read the text, there's a reason I put ??? there. up2date is only for Red Hat Linux users, and only covers Red Hat Linux official packages. I use it. I subscribe. But it's not the only tool out there and it doesn't cover all it should.

Re:Binary packages: Security suicide

[duffbeer703]

Are you smoking crack?

Having a compiler available on all of your systems to compile C code is far greater risk than the "threat" of getting trojaned builds from Red Hat.

Take your tinfoil hat off and breathe.

Re:counterproductive

[ePhil_One]

Exactly. I think I'm going to use this page to create MPM, aka My Package Manager

It will be so good all the other packages will run and hide!

Re:Why get binaries

[agrippa_cash]

I love Gentoo, but I can entirely understand someone not wanting to spend 18 hours compiling OO.org or KDE. Or even half an hour getting Moz-Frirebird. All I know about the Gentoo reference binaries is that they exist. But they weren't covered and since they seem to be the (distant) second choice for the Gentoo devs, I doubt it is as easy to use as portage.

Re:Why get binaries

[ichimunki]

Because all those optimizations don't mean squat when most computers are not maxing the CPU on a regular basis anyway. Also, portage is not a silver bullet. While it's got a very good system for handling a whole lot of things (especially cool stuff like being able to peg versions or inject versions if you want to roll something by hand), it's not nearly complete. Look at the lame way it handles config issues by just post-poning that to etc-update, which isn't remotely user friendly, imho.

Gentoo is bad for the environment

[pv2b]

Gentoo is bad for the environment, since a computer uses more power when the processor is at work.

This means that using Gentoo is aggravating our problems with long-term storage of nuclear waste as well as introducing fossile carbon dioxide into the atmosphere.

Additionally, source code is generally larger than the equivalent binaries, so it is a waste of bandwidth to download Gentoo, which also is a waste of energy in the long run.

So, for the sake of our children, from whom we borrow the earth, use Debian GNU/Linux. :-)

It's slashdotted- here is the google cache

[zoloto]

Click here

>> or for those with text browsers or aol

http://216.239.37.104/search?q=cache:x0Hrwxt5378 J: www.kitenet.net/~joey/pkg-comp/+&hl=en&start=1&ie= UTF-8

Have a nice day

Mirrors? Summaries?

[javacowboy]

The site appears to have been slashdotted. Can anybody provide mirrors or summaries?

Just like every other Slashdot reader, I'd like to read the article before I post a comment ;)

5 years old!

[spotter]

Joey Hess created that document (at least the first revision) around 1998 IIRC, so it's not so much new news (guessing it's been posted here before, but probably around then as well)

LINUX needs to tell apps where they live!

[Arslan+ibn+Da'ud]

What Linux really needs is a dir-independent application running
system. Imagine a package of...oh, say, g++, where g++ runs properly
even if you move the whole g++ package to a different dir (say from /usr/bin to /usr/local/bin). Most packages, including g++, configure
themselves to run in one location, and they'll get confused if you
move 'em.

Some packages (eg Tomcat) let you move them and they'll still
work...but only if you set an environment variable (eg TOMCAT_HOME)
so that Tomcat now knows where it lives. In a proper environment, an
application could easily & consistently know where it currently
resides on the filesystem *cough* OSX *cough*.

What Linux needs is some standard 'run-app' script that would inform
a package of its location. For instance:

% run-app tomcat

Run-app would be simple, say, the following:

#!/bin/sh -f

$app = shift
$location = `which $app`
env {$app}_home = $location $location/bin/app

That would enable Linux to devise a package format (or better yet,
improve rpm, deb, etc) for more flexible package management.

A package would no longer need to place its binary, libraries,
manpages, etc. all in hardwired locations in the OS...it could just
leave them in its original dir. (or maybe create a 'obj' dir that you
can remove if you wish to clean up the package.)

Re:LINUX needs to tell apps where they live!

[leviramsey]

RPM's are relocatable (at least most, if not all of the packages Mandrake distributes are; hardcoded directories are against Mdk policy and caught by rpmlint). Just edit your .rpmmacros and set macros like %{bindir}, %{libdir}, etc.

Re:LINUX needs to tell apps where they live!

[baka_boy]

Check out GNU Stow for one simple implementation of this; also, see the appdir functionality in OS X, where all the resources an application needs (binaries, shared libs, pixmaps, etc.) are bundled into a single directory structure, which is made opaque at the Finder level. For Linux, the ROX Filer project is trying to do something similar, but also has the advantage of backwards-compatibility with traditional (i.e., '/usr/bin', '/usr/local/bin') installation paths.

Personally, I find the directory layout of most Linux systems to be painfully baroque, with the BSDs just a step behind. Both kick the crap out of Windows system layouts, esp. when it comes to quick configuration tweaks and the like, but the simple fact that you have to know how to do shell scripting to install applications for yourself only is rediculout IMHO. I can do it, but it'd be a lot easier for people I'm trying to get started on Linux to never have to worry about entering a password every time they want to install a new version of the Same Game.

Re:LINUX needs to tell apps where they live!

[molo]

Why? What benefit is there to moving binaries around like that?

-molo

Re:LINUX needs to tell apps where they live!

[Merk]

Running out of space on a given partition. Deciding you want to put gcc, ld, and friends inside a "development" directory and "xpdf" inside a "viewers" directory. Keeping configuration files with the program that uses them so when you start using a new machine you can copy over one bundle of files and everything works the same...

Re:LINUX needs to tell apps where they live!

[orac2]

Just edit your .rpmmacros and set macros like %{bindir}, %{libdir}, etc.

Yes, that's so much easier than just dragging an icon a la OS X.

The point is not that it's theoretically possible to move apps or RPM under linux, or it can be automated if you do some fiddling under the hood (and anything that involved touching a file that starts with a '.' is almost by definition under the hood), but that Linux should offer this functionality automagically. Installing or moving apps in Linux can be a nightmare. In OS X its just drag and drop. Why can't we improve?

Re:LINUX needs to tell apps where they live!

[IamTheRealMike]

My project is working on a library that will allow programs to find out where they are installed to. At the moment it's fairly crude, and needs to be improved, but volunteers are required :)

I'd note that libprefix(db) is not so users can pointlessly drag icons around all day and mess about with filing system structures in the process. It's so you can install to peoples home directories, or /opt, or /usr, or /usr/local, or perhaps a path on another mounted drive. Having relocatable programs is just convenient.

Re:LINUX needs to tell apps where they live!

[molo]

Why would you want to put different programs all over the place? Your PATH would be huge.. and there's no point. There is a standard that describes how the filesystem should be laid out. Linux FHS

Running out of space? Increase your logical volume size and grow your filesystem.

Want to copy your configuration over? Copy all of /etc. Don't want to backup data that you can get from your distro? Just backup /home /var /etc and /usr/local. Very simple, well-defined ways of using the filesystem.

Guess what? Lots of smart people have been doing it this way. Guess what? It works.

Linux is not MacOS. MacOS X is not a Unix(tm) because its filesystem layout is all fucked up. That is why they failed the Unix conformance tests and that is why they are getting sued over using the term Unix.

-molo

Re:LINUX needs to tell apps where they live!

[Erik+Hensema]

Partition? You aren't telling me you still don't use LVM do you?

Partitions are a thing of the past. With LVM you can resize your volumes, even when mounted (when the fs supports it -- reiserfs does). Oh, and did I mention a volume can span multiple disks?

Re:LINUX needs to tell apps where they live!

[Merk]

Ok, so your buddy asks you to help him fix his linux system. He thinks he's a hot HTML designer and has thus "configured" all his editors to use ugly-ass colours, fonts, and blinking.

If you're running OS X, there's a good chance you can copy your editor (one bundle only) over to his system and it will bring its preferences along with it. At that point you can use your editor to fix his sytem. Voila.

Now if you're running another OS, you'll have to copy not only your editor, but any configuration file(s), libraries, or anything else it needs. You sure as heck can't use his editor because it's all messed up.

Increasing logical volume size is sometimes not the easy way to go, depending on how a system is configured. You want to copy your entire system configuration over to an identical system, sure, copy over the /etc directory, but if you only want bits and pieces, or if the OS has changed, even by a minor revision, then you may overwrite system files. Sometimes what you want is stored in /etc/rc.d/init.d, sometimes it's in /etc/init.d, and messing that up can really screw the system over.

OS X isn't unix. Great, SCO doesn't own it. Whether or not an OS is good doesn't ride on it being Unix or not, it's whether or not it's well designed and useable. That's a test that OS X passes better than any other Unix I've used. Sure, some of its quirks annoy me, but they annoy me far less than quirks on other OSes.

Re:LINUX needs to tell apps where they live!

[Merk]

Sadly, some of us have had systems running for far longer than LVM has been stable. :)

Re:LINUX needs to tell apps where they live!

[xenocytekron]

I would think that you would have to drag over the editor and the preferences, which are often stored in ~/library/application support/ or ~/library/preferences. It doesn't seem that much easier. And yes, I run Mac OS X exclusively.

Re:LINUX needs to tell apps where they live!

[moncyb]

Linux does tell apps where they "live." The symbolic link /proc/self/exe. Most developers don't use it either because they consider it bad form (in some ways it is), it's not cross platform, they're too lazy, or they don't know how to do it.

Re:LINUX needs to tell apps where they live!

[WWWWolf]

What Linux really needs is a dir-independent application running system.

Here, go get one. =)

Re:LINUX needs to tell apps where they live!

[Simon+Brooke]

The point is not that it's theoretically possible to move apps or RPM under linux, or it can be automated if you do some fiddling under the hood (and anything that involved touching a file that starts with a '.' is almost by definition under the hood), but that Linux should offer this functionality automagically.

Why should it? Because it's possible in Windows of Mac OS? Or because it adds some useful functionality for a user, in which case what is that functionality?

For any given app, in a properly organised Linux system, there is only one right place. Being able to move it to the wrong place is not a benefit.

And if you're going to whine but what happens if the file system is full, isn't it time you were using logical volume management?

Installing or moving apps in Linux can be a nightmare. In OS X its just drag and drop. Why can't we improve?

In what sense would it be an improvement? It looks to me like a category error, or someone who doesn't understand how UN*X systems are organised.

Re:LINUX needs to tell apps where they live!

[Simon+Brooke]

Ok, so your buddy asks you to help him fix his linux system. He thinks he's a hot HTML designer and has thus "configured" all his editors to use ugly-ass colours, fonts, and blinking.

If you're running OS X, there's a good chance you can copy your editor (one bundle only) over to his system and it will bring its preferences along with it. At that point you can use your editor to fix his sytem. Voila.

Whereas if you use Linux, you just copy your .xemacs directory, which contains two small files, and viola! At that point you can use your editor to fix his sytem. The place for an individual user's preferences is not with the package, it's with the user !

Why copy an application which takes up many megabytes of storage, when you can copy a configuration file whish uses half a dozen kilobytes?

Re:LINUX needs to tell apps where they live!

[statusbar]

In Mac OS X, all apps are really directories with a .app suffix. Inside them can be all sorts of files and directories that you need, not just the executable code. OS X allows your app to look inside these directories, no matter where you have placed or moved them.

--jeff++

Re:LINUX needs to tell apps where they live!

[Tupper]

Mostly you are right: apps should have one true home. sh should always be in /bin, etc.

But, occasionally its nice to have two versions of something installed, for testing or legacy reasons. For these purposes its neccessary to move one of the versions.

OS X seems to me to fail in the other direction--- yes, its easy to have two versions, but its cumbersome to do the more typical case: ie I want to upgrade foo and not have to worry about the users' shortcut bars pointing to the old version.

Re:Why get binaries

[serial+frame]

Believe it or not, like (essentially) all things, binary packages have a purpose, just as source packages have a purpose--platform agnostism.

Before giving me an explanation as to why you (read, the parent poster) in particular would not have a use for binary packages, allow me to explain why binary packages are useful. In the majority of instances, binary packages are useful when one is installing the userland on a system, or when installing a compiler, when you have no other systems to build the compiler on. Binary packages are also handy for systems where compiling from source would be inconvenient, resource-intensive, and time consuming.

Also, there are some proprietary applications that are not available as source, so a logical manner of packaging is with a standard binary packaging system such as RPM or dpkg.

Even NetBSD has its own binary package format (no, not the sets, those are for the base install and are just tarballs without package information).

All in all, binary packages are very convenient, despite the inconveniences caused by vendors who do a poor job of managing their package collection and dependencies. Binary packages are single files, smaller than source archives in most instances, and are installable in a uniform manner.

Let's not get into rogue "package vendors" who package trojans. They are the minority, and most reputable software developers release their own binary packages along with sources anyways.

I think I need a glass of water.

More to the point...

[stomv]

Because there are folks that I do trust. I don't trust the latest nightly build of Mozilla, but I do trust the most recent stable release after it's been out a week or so.

You see, I know there are folks out there like you... so I don't have to be like you too. Enough hobiests and security folks will bang on popular newly released code to pacify my concerns. For specialty apps coming from unknown sources, care is taken and sourcecode reviewed. But, for code from the likeness of a major OS distributor (RedHat, Debian, etc) or a major code project (Moz, Apache, etc), I don't have to bother.

I want it fast and pain - free. Binaries please.

um...

[klocwerk]

Instead of drawing attention to our differences we should be emphasizing what we have in common.

Yeah!
Cause since when has using direct comparisons for determining
the best method for a process worked for anyone?

Re:Binary packages: Security suicide

[ePhil_One]

Yes, I want to source compiles on the dozens of linux systems I maintain everytime I need to tweak build parameters.

If your paranoid enough not to trust the RPM Builders, the checksums, the download process, etc, then download the src.rpm; unpack the contents, and do your vodoo tricks. Then run rpmbuild to build your own damned binary package. I've done it (Ok, I'm a RHCE) and its cake.

Basically, this isn't a reason to dis binary packages unless your paranoia is well into the tinfoil hat level.

What about autopackage?

[munehiro]

The list does not analyze autopackage. Despite it's really recent, it has some interesting features, and as far as i tried it works really well.

Re:Binary packages: Security suicide

[CowboyMeal]

Are you smoking crack?

Apparently not as much crack as the moderators. Score 4, Informative for strtok as a security risk? Give me a break.

Re:Binary packages: Security suicide

[dissy]

One of the main reasons I enjoy DEB binary packages which also do not have any of the bad issues you mention is this:

I'll download the source and compile it on my nice fast zippy P4 2.6ghz machine, then build a .deb from that, not just to install on that machine (Personally I like the fact i can remove it with a package manager) but i can also install that binary package I made myself on my slower systems that dont have a compiler installed.

My three router computers are all p133 or p166 machines. No way am I compiling anything there. Routers also dont need gcc installed.

I run my own private apt repository for this (Its just apache and some config files in text format, and one more line in my apt sources file.)
This way I can tell whichever machines to apt-get it, and later I can apt-get remove it as well.

I also dont have a huge server farm, I just have 8 machines at home for different purposes. Below the P4 mentioned above, my next fastest system is a p2 450. The others get way slower below that (p2 200 and the like, or worse.)

I also dont want a compiler on any system but my development system. The machines in my DMZ dont need compilers, as if they do happen to get rooted, that's one less tool for them to use aginst me.

Open source is also about choice. Please let us have ours, even if you have made your own.

Tradeoffs

[autechre]

Security is always a tradeoff between the effort required and the risk entailed. SSH is more secure than telnet. Even more secure is making all of your employees carry around OTP calculators, but most places don't do this because for them, it's not worth the effort. At a certain point, the "price/performance" tradeoff curve of security starts to get very steep in the direction of "price", and the only way to get 100% security is to have 0% usability (as often noted by the example of unplugging the computer and encasing it in concrete).

So, how much do you need to trust your packages? Do you have enough work and not enough top-secret data that you can trust the package maintainer, the upstream maintainer, and your copy of MD5? For most people, the answer is "yes". This does not apply to X Random Freshmeat App; if you're downloading a new program and installing it yourself, you should check it out first (if you have the means), since sometimes even good authors do things that are unintentionally destructive. But most people can afford to trust that a package which has been around for a while and comes from a reputable distributor is reasonably safe, especially if they're doing the work of 3 people, maintaining 5 platforms, and just trying to keep up.

Unless you're in a situation where many people want your very important data, you can usually afford at least a little well-placed trust. Otherwise, just keeping up with updates is going to consume an inordinate amount of your time, and the rest of your duties will suffer.

RPMs, an' all.

[caluml]

How to roll your own RPMs. Very useful. You can open up a package, say postfix, or mozilla, customise the config files for your organisation, and re-make it. Then you can just install at your leisure.

Best thing about RPMs? GPG signatures built in. Try rpm -K whatever-x.x.x.rpm next time. Second best thing? rpm -Va.

Re:RPMs, an' all.

[asr_br]

Third best thing? The way the patches are organized inside a SRPM (Source RPM). The patches are all separated, which makes it very easy to extract, disable or to add new ones. For people who work with source packages (doing customization, security fixes/auditing, etc), it's one of the best things of RPM.

I must confess I'm not very familiar with the .deb format, so maybe I'm just ignorant, but getting a single patch from a debian source package is a real pain (you get a single, huge patch with all the changes done by the packager). With RPM if you want, let's say, a security fix, you just have to download the SRPM and look for something like foobar-1.1-buff_ovflow-fix.patch inside it.

(And it's not hard to find a package with 300+ patches).

BTW, an excelent tutorial from IBM-DW: Packaging Software with RPM, Part I , II , and III

--
This is not a .sig

Re:Binary packages: Security suicide

[DreadSpoon]

For starts, having access to the source doesn't guarantee anything, since your compiler itself may be hacked. (There are a couple papers on this iirc, Google is your friend.)

Second, there is the simple case of ease. It is a serious pain in the ass to check each and every program installed on a modern desktop OS. It is so much easier to just click on an app in Red Carpet, wait for it (and dependencies) to download and install, and then get on with doing real work. I don't have the time nor the inclination to spend hours and hours scouring source.

If was running a server used to control nuclear reactors, sure, I'd want a little more security. Sitting at my desk doing web development or playing Quake, who the hell cares?

Re:Why get binaries

[Wdomburg]

Because some people have older machines that take several days to compile large subsystems such as Gnome and KDE?

Because some people run dozens or hundreds of machine with identical configurations, so compiling the same package on every single machine is pointless?

Because companies prefer working against a known build of a piece of software for support reasons?

Source distributions are far from a panacea.

Re:Binary packages: Security suicide

[ADRA]

I use binaries because it is simple and straight forward. It is fine for 90% of all my package installs to be of this variety at this point.

I use source packages when I need to make something fit in the system, even if it means hacing code.

Generally, only if a program is of critical importance, or I am curious do I ever bother source browsing. I am not lazy, just practical. I have real work to do, and wasting my time being -anally- paranoid about legitimate distribution channels doesn't help me do my job.

Ah yes, packaging

[Dark+Lord+Seth]

Definitely one of the features which makes Linux a powerful OS. A good and well-configured packaging system can be a blessing, automagically resolving dependancies or at least telling you where and how things will fuck up. The problem with package managers is that there are quite a few of them around. Normally, diversity would be a good thing but those package managers don't seem too willing to process eachother's packages...

For example, RPM packages are almost common these days; most open source software has a few packages ready to be implemented. Pretty much the same thing with Debian packages, because of the large userbase. Chances are that a few hours after the release of a major product someone has made a .deb somewhere, ready for you to install. However, if you'd look beyond these two packaging systems, you'd get a few nasty surprises...

The TGZ packaging scheme (also mentioned in the article, along with RPM and DEB) just... Well... Sucks. Or at least in Slackware, I don't know if any other distributions use it differently but lets use Slackware's TGZ system as an example for now. What's wrong with it, you ask? First of all (and possible the foremost reason) it's almost unused. Apart from the Slackware packages itself, I've never seen anyone distribute something in the TGZ format which worked. That excludes the few things which I found and simply refused to install. It doesn't do dependancy checking, conflict-checking, heck, it doesn't do anything or so it seems. I'd continue but ranting about the bad parts of Slackware isn't the issue at hand.

The issue at hand are the two remaining package systems, which might be technically sound and quite useable, but they still won't have allot of use. Who here has ever heard of SLP and PKG packages? And even then, who here knows of any major applications which distribute their software using those package systems? Sure, SLP and PKG might be a dream to use, but without any actual packages to install, they're (possibly sadly?) not really of any value.

Which brings us back to RPM and DEB, apparently two of the most common systems, courtesy of Red Hat and Debian. Looking at the list of summed up data, it's really not a miracle those two are more common: Both support mostly options listed, both are backed by a large amount of users/developers and both are relatively easy to use, yet still distinct. Perhaps a system which allows multiple systems to cooperate (regarding dependancies and conflicts and the like) would be a nice compliment to both RPM and DEB?

Re:Ah yes, packaging

[dissy]

> The TGZ packaging scheme (also mentioned in the article, along with RPM and DEB)
> just... Well... Sucks.

Not intended as an attack aginst your comment (You are fully correct, it sucks) but to clarify a point: .tgz is not really a package format. .tgz (.tar.gz, or a compressed tape-archive) is no more a binary package format than .zip is for windows.

Slackware created a rather elegant hack at the time, of having a /package/install.sh script in the tarfile which is run with a bash shell after the files are extracted to do any command based setup, but that is it.

Imagine if you will, a .zip file that states 'uncompress this file exactly here C:\windows\system\whatever\foo.bin '
That is all a .tgz can do.

This is why it supports no dependencys or checking, because its just an archive file.

Technically speaking, this isnt a package format as much as a creative way to run a shell script after extracting some files.

* I realize you were just replying to the articles claim that it is a package format, and from your own experences. I just wanted to explain why your experences sucked... It was more of a design flaw to use an archive as a package format, then the package format sucks.
From an archive stand point, .zip and .tgz do great.

Re:Ah yes, packaging

[Arslan+ibn+Da'ud]

The TGZ packaging scheme (also mentioned in the article, along with RPM and DEB) just... Well... Sucks.

Show some respect, ya young whippersnapper. The TGZ is admittedly less featureful than deb or RPM...mainly because its older...much older. Who hasn't used tar and gzip at *some* time to transport files? They have their uses, and until RPM & Co came along they worked pretty damn well...especially considering that they are two programs that were originally intended for general-purpose compression and making backup tape archives!

Re:Ah yes, packaging

[Lenolium]

SLP is the Stampede Linux Package format. Just slightly more advanced than a slackware .tgz. And I mean just slightly. It was a .tar.bz2 with a struct fwrite()'ed to the end of it. It worked off of a "feature" in tar/bzip2 where it would ignore any data beyond the end of where tar thought the file would end data, so you could extract data from them with just standard tar.
The other cool part about them, was that the final byte in the file told you what version of SLP the package was, and a single fread() call would get all of the metadata extracted. The downside was that none of the fields were varible length, and that I never got around to implementing dependency checking.
All in all, it doesn't much matter, because the Stampede Linux Project is Deader than BSD ;). It was a fun little package format to write, I took over since the v2 packages (we went through a lot of versions). Oh well, enough reminicing(sp) for me.

Re:Ah yes, packaging

[ilikehardhouse]

The issue at hand are the two remaining package systems, which might be technically sound and quite useable, but they still won't have allot of use. Who here has ever heard of SLP and PKG packages? And even then, who here knows of any major applications which distribute their software using those package systems? Sure, SLP and PKG might be a dream to use, but without any actual packages to install, they're (possibly sadly?) not really of any value.

Solaris uses .pkg packages. Have a look at http://www.sunfreeware.com for a few examples.

Re:Ah yes, packaging

[RealUlli]

Who here has ever heard of SLP and PKG packages? And even then, who here knows of any major applications which distribute their software using those package systems? Sure, SLP and PKG might be a dream to use, but without any actual packages to install, they're (possibly sadly?) not really of any value.

Well - If there aren't 2 different "PKG" formats out there, everyone that has ever installed a package on a Sun system has heard of pkg. So, yes, there are a *lot* of pkg files around, even commercial software and freeware (check www.sunfreeware.com)...

Regards, Ulli

Re:Binary packages: Security suicide

[GammaTau]

The binary distributions usually come with a way to compile your own binary packages if you wish to inspect the source code. Just download the source RPMs or use "apt-get source". The "binary distributions" are generally binary and source distributions where you can choose whether you use prepackaged binaries or compile your own.

Crackpot security

[pv2b]

Um.

Yes, and it is completely impossible for users to (gasp) compile their trojans elsewhere and FTP them over?

Also, are you saying that you're compiling your stuff as root? Bad idea, since compiling software does not require root priviledges. A better idea is to compile your software as a user, and then "make install" as root through sudo.

There have been cases in the past in which open source software source code has been backdoored, so that running the ./configure script connects to a remote server giving it a shell. Running ./configure as root makes this potentially even more destructive. The ./configure script is the last you audit for security holes, no?

Sure, you could argue that "make install" is backdoored, but it's always a good idea to check exactly what scripts you're running through "make install" anyway, since that's done as root.

Run as little as possible as root, and don't fool yourself that chmodding user-space programs not requiring root privileges is somehow improving your security.

Ah, another linux-only discussion

[softweyr]

Gee, I would've loved to have seen this include the BSD package format, and perhaps the Mac OS X one too. Sigh. For what it's worth, they score fairly well on the feature comparison chart, similar to RPMs.

All of these formats could be done better. The OpenPackages project had a design project underway to consider the features of an ideal, multi- platform package format early last year but it seems to have died from lack of input. It'd be great to see it get a breath of new life. If nothing else, this article could serve as a starting point for what we do and don't like about current formats.

Re:Ah, another linux-only discussion

[pmz]

Ah, another linux-only discussion

One problem with humans is that they easily forget alternatives in light of the current "one true way". Linux will become the next Windows. Just wait.

Re:Ah, another linux-only discussion

[joey]

It's not entirely linux-only, since I include the pkg format on there, as used in solaris. I think adding OS X packages to the chart is a great idea. If someone wants to contribute the answers for a column on that format, get in touch with me by email. (The pkg format column was contributed by Marc Herbert.)

Re:Binary packages: Security suicide

[menscher]

On the other hand, many of the backdoors I've seen recently have been incorporated into the Makefile. If you get a binary distro, you're completely safe. Yes, reading every line of code would be nice, but let's try to be realistic here. A malicious programmer could just put an off-by-one error in somewhere to leave themselves a backdoor. To get things back on topic, where are comparisons to .tardist or to encaps?

Just curious...

[dlosey]

No matter how many "packages" I see. Still love slack-packs the best

Exactly how many of these "packages" do you see in a day?

And of all of them, you like the slacked ones?

Re:Just curious...

[argan0n]

In a day? Not sure what ya mean.
But of all the packages that I've used over the years (instead of just compiling from source) I like slackware packages the best. They feel light weight, straight to the point, and miminal. You are expected to know your machine, libs you need, etc, etc. This leads you down the road of understanding what going on better I think.
If the packs are from the distro you can get the source packages and edit/recompile from the SlackBuild script with little effort.

But I still prefer source over 'em all. :)

Re:Just curious...

[cyb97]

The best part of a slackpack is that you only really need tar to get it installed... no fuzz included in the actual package... ;-)

One thing less to break ;-)

Re:Just curious...

[tzanger]

some background: linux user for the past 7 years.

My preferred package is Slackware Packages. debs, RPMs (RedHat and SuSEs), Gentoo ports... all ugh. Slackware packages do everything you want for installs, and almost all of the uninstall stuff. Where almost every package managers fall apart is in uninstalls. Slackware does so too, but without crapping up the install in the process.

CheckInstall does wonders for Slackware, Debian and RPM-based systems. I am planning on contributing code which allows you to apply a patch -- not just blindly overwriting a file. Perfect example: Perl modules. Module installs add to perllocal.pod. CheckInstall will write the new perllocal.pod into th epackage. Not so good.

Another place where package managers fall down is dependencies. I'm sorry, but no package manager on the planet does package management right. Slackware doesn't pretend to do it at all, which is great. And I mean what's the worst that happens if you're missing a dep; a pretty straightforward error in most cases. Admittedly "can't resolve pz_requiredFunctionHere()" isn't clear, but some work can be done to clearly separate the dependency database from the package manager, and bolt on something to do the deps. Deps should _not_ be integral to the package.

Finally, a personal gripe about Debian; while their source packages are by far the best in the biz, rewriting the man pages to change practically every reference of Linux to GNU/Linux and blindly overwriting the author's configuration locations to fit into "the Debian way" goes too far sometimes. Uniformity in the distro is good, but there's been more than one occassion where the Debian man page was just plain wrong compared to the author's original.

Gentoo and FreeBSD ports

[Ann+Coulter]

are better than packages because you get more control over what is installed onto your file system. If you really want to the slight advantage that package formats provide over ports, use SRPMS. You will have some of the customizability of using ports and all the features that RPMs provide.

InstallShield

[rsmith-mac]

I'm primarily a Mac user here, but can someone please explain to me why the Linux equivilent of InstallShield(or VISE, or anything else like that) hasn't been created yet? While it isn't the best solution when you want to deal with versioning, dependancies, and top-notch security, it still seems silly that such a program isn't around, when it's obvious that most everbody that isn't tech-head wants such a program. Is there really such an evil reason that people can't have simple, easy to use installers on Linux?

Re:InstallShield

[...] hasn't been created yet?

Each of these does what InstallShield et al. do: install a program, keep track of how & where it was installed, and give the user the the ability to uninstall it.

I've had problems with un-installing things on my Windows XP box at work: too many software makers try to get around it, and there's no way to figure out where things were put. At least with Unix, I can do a find(1) before installing, then after, do a diff(1) and figure things out from there if I don't trust the developer.

Is there really such an evil reason that people can't have simple, easy to use installers on Linux?

What's not simple by installing (say) Apache with an `apt-get apache`? Under FreeBSD it's `cd /usr/ports/www/apache2; make install clean`. Out of all the systems I (personally) think that FreeBSD's and Debian's are the best (prefer FreeBSD in general as an OS). I haven't used Gentoo though.

Re:InstallShield

[damiam]

It does exist. And no, it's still not any easier than 'apt-get install <program>'

Re:InstallShield

[iantri]

The thing is, when you mix-n-match binary installers and RPM packages, at least in RedHat, it gets very confused as to what is installed on the system, screws up dependencies and your upgrade path. rpm -Uvh --force is not fun.
IMHO, a single package format (for all software on a machine) is needed to allow easy upgrading, dependency checking, and so on.

Re:InstallShield

[Arandir]

InstallShield has one, and only one, advantage over your typical Linux/BSD/UNIX package. In every other way it sucks. The one place it has an advantage is that it allows the user to somewhat customize the installation. On the other hand, the "less is more" GNOME folks might argue that this is a Bad Thing(tm).

Here's how a Windows user installs a program with InstallShield: Download executable. Double click on icon. Read obnoxious and threatening license screen. Click some buttons. Click, click, click. Some more clicks. Clickety clickety click. Reboot. Run program.

Here's how a typical UNIX user installs a program with a typical package manager. Download executable. Double click on icon. Run Program.

I hate InstallShield programs. Put everything into one directory tree, and zip it up. If you need to manipulate the registry, or other system wide interference, do it at first execution. Uninstall is as easy as removing that single directory. Isn't that what Mac users do? And don't people generally consider the Mac to be easier to use than Windows?

Frankly, the UNIX world doesn't need an install shield.

Re:InstallShield

[tjcoyle]

Good question. No flamebait here, but unfortunately, I think the differences between various *nix distributions makes this a difficult, if not impossible task, indeed.

I know, OK, yes, indeed, mmmhmm, Windows rots. But the consistency of a closed architecture does have something going for it in this arena, indeed.

Re:Binary packages: Security suicide

[weorthe]

It isn't necessary for 100% of users to look at the code in order to test its safety. If only 10% or 1% of the community do, then it's still better than closed-source. The rest of us just have to listen to the gurus. After all, you don't expect 100% of users to write their own code do you?

Re:Binary packages: Security suicide

[buddha42]

Yea! I totaly agree with the above poster. For instance, the first thing I do when I sit down to use a computer is take apart the keyboard with a screwdriver. You can never trust that someone hasn't installed a keylogger.

Every time I've bought a car I bring a socket wrench set with me and tear apart the engine right there on the dealership floor. If I didn't how could I know that Al Queda hasn't set me up to be a pawn!?! Not checking your equipment like this is tantamount to supporting terrorists.

Re:Binary packages: Security suicide

[Forseti]

Actually; unless you wrote your own compiler, in assembly, ENTIRELY FROM SCRATCH, and then proceeded to review then entire gcc code and compile it with your own compiler before using it, you may still be inserting plenty of back doors abnd trojan horses into your binaries.

Read here to find out why:

Re:Binary packages: Security suicide

[occupant4]

You have got to be kidding. Do you think everyone who uses Linux has the time to do that for every package they install? When I installed Debian, I wanted X. I typed 'apt-get install x-window-system'. The following download and install of all the required packages took about a half hour (over dsl). Your way would have taken me about 2 hours to get all the right packages, and another couple days to compile them from source (after of course checking for security vulnerabilities and fixing them myself).

Not everyone who uses a computer is a programmer. Not everyone who is a programmer is paranoid enough to think that a binary package from RedHat contains a secret connect() to send out their passwd files. Not everyone who IS a programmer, and who IS that paranoid, has the time to audit the code of every package they install.

For these people, binary packages are quite convenient and useful.

Re: Security suicide - not necessarily

[schon]

While I understand your logic, there's a HUGE hole in your reasoning (besides the ones already commented upon.)

Binary packages are a great boon to any sysadmin that manages more than one box..

I admin a few dozen Linux boxes (all slackware :o) and binary packages save me a TON of time and effort - the result of which makes my boxes more secure than compiling from source.

For example, not too long ago I updated Squid (due to a security hole), which was running on 20 or so of my servers.. can you imagine HOW MUCH TIME it would take to compile from source for EACH one (considering they are Pentium 1's)? And that I'd have to have a working dev environment on each one!

Instead, I compile the software on an offline server, and check to make sure it works (another imporant step - Squid changed it's config file between versions, so I had to modify the config file).. then turn it into a package, which gets scp'ed to each of the servers, and installed.

Package management allows me to keep track of each file, so upgrades are painless.. and if one of the servers goes down, I can have a new one up and running in 20 minutes, using the same packages I used to upgrade the other systems.

By using binary packages in this way, my systems are MORE secure, because I'm able to minimize the window of vulnerability, and because I don't have to maintain extra software on the boxes (from a security standpoint, anything you don't need should be removed - on a production server, this would include a compiler.)

Remember - not every binary package is untrusted. The ones you make yourself are as trustworthy as the source you used to create them.

Technically...

[serial+frame]

From a technical standpoint, I find that creating a Debian package would be far easier than creating a Red Hat package. Essentially, a packager does not require any special tools to create a package; all one needs is ar, tar, and gzip, and a text editor to write the package control data. This feature-by-design allows poor ol' me, without any Debian machines, to create packages, assuming a similar development environment and libraries as the Debian environment I'm targeting (which really should not be hard, provided the libraries I use are of the same version).

Similarly, I could install a Debian binary package if that were all that existed for my particular environment, with a simple

$ ar p data.tar.gz package-arch.deb | (cd /; tar -p -zxf -)

(I digress, simple may be relative)

On the other hand, since RPMs have a special binary header, the lazy would be forced to install RPM and Berkeley DB on non-Red Hat-machines in order to build an RPM package. Though it is possible to extract the gzip'ed+cpio'ed data in an RPM without using rpm.

So, in my view, Debian has a bit of an upper hand in simplicity, from a technical standpoint, but not by much.

Re:Technically...

[debrain]

Actually, the point goes much further than this. If you are on a RPM system and you lose control of RPM, either through library problems or dependencies, or what have you, you suddenly are robbed entirely of your ability to control the packages on your system, usually including the ability to fix the system itself.

This is not something anything but highly technical users, or even faint of heart, will encounter. However, it is something that has undermined my ability to recover from catastrophic failures on machines with RPM that do not have CD or network access. I have even been reduced to binary manipulation of RPM files to extract the cpio compatible archive (not a task I would undertake lightly).

In contrast, with Debian packages, I have been able to rebuild a machine from scratch with ar, tar, and gzip, which are extraordinarily unlikely to break. Even in the event that they are unavailable, one can copy them to lightweight media, statically compiled, and then they have no real dependencies. Even if dpkg or apt fails (the latter more likely than the prior, in my experience), it is almost always possible to recover from catastrophic mistakes.

In summary, .deb seems to be a far superior package format to recover from catastrophic failures in system utilities such as the package manager. Of course, as you may have ascertained from my comment on cpio, I have experiences precluding bias. ;)

Re:Technically...

[flight666]

You can do the same thing with RPM:

$ rpm2cpio somepackage.rpm | (cd /; cpio -div)

Re:Technically...

[serial+frame]

I hate to nitpick, but just to affirm my point, I have to say that rpm2cpio simply isn't available on every system. Of course, one could remedy that by writing a snippet of code that skips all of the RPM header data and starts outputting the contents of an RPM as soon as it has hit a gzip header; then piping it to gunzip and cpio -div. But not everyone is willing to do that ;x

Though I do thank you for adding that bit of information.

Re:Technically...

[GuruJ]

For those who haven't already found the divine nectar that is rpm --root, I found this option very enlightening:

rpm --root DIRECTORY

Use the file system tree rooted at DIRECTORY for all operations. Note that this means the database within DIRECTORY will be used for dependency checks and any scriptlet(s) (e.g. %post if installing, or %prep if building, a package) will be run after a chroot(2) to DIRECTORY.

In other words:

1. Once your RPM installation screws up, boot from your Red Hat CD and type 'linux rescue' at the boot prompt.
2. Mount your system image under /mnt/sysimage as read-write by selecting 'Continue' when prompted.
3. Attempt to fix your rpm problem either with:

   # rpm --root /mnt/sysimage -i --replacepkgs /mnt/cdrom/RedHat/RPMS/rpm-x.x-y.yy
   
   or
   
   # rpm --root /mnt/sysimage --rebuilddb

   or use the option soup of your choice.

Enjoy!

Re:Binary packages: Security suicide

[Mandi+Walls]

this might have been the way to go in 1997 when only pansies ran systems with package management and real men built everything from source to run on their slackware boxes.

However, it is reasonable to expect several hundred packages to be in place on a moderately loaded machine. I get paid to admin linux, but even i have better things to do than sit and go over all the packages with even grep. On 9 different distributions. across 30+ machines. And it's not like i have a large installation to deal with.

If you're downloading source, you should be downloading gpg signatures and checking them. I'm downloading binaries, and checking the signatures against those. It comes back to trust, then, in the way pki and pgp meant trust to be: do you trust the source of this tarball? do you trust the person who signed it to not be naughty? If so, go nuts.

If you have the time and patience to go through every piece of software, every perl module, evey little whatever that goes into your machine, more power to you.

But I think your attitude undermines the idea that open source programmers participate in the community for the peer prestige and bragging rights. Where do your bragging rights go if your stuff's been trojaned? if you can't be bothered to gpg your stuff? Someone's going to clamp onto the security idea and say "well, you really can't trust those Open Source guys; they're all just out to trojan your machines and hijack your network, so you should buy windows".

You have to have some kind of package management in a production environment. Being able to tell with one query what version of a package is installed on a machine is very useful (rpm -qi)...knowing what all the files are that the package installed is more than useful (rpm -qf). Having shit all over your machine that you installed by hand, in some random directory scheme that makes sense to you is great. FOR YOUR HOME MACHINE. But if i get your job and find that box, i'm reformatting and badmouthing you to your mom.

--mandi

Re:counterproductive

[bongoras]

that's fucking nonsense. I hope your trolling, not seriously implying that discussing differences in packaging formats is somehow wrong or divisive.

shit. I have been trolled.

Re:Binary packages: Security suicide

[Count+of+Montecristo]

of course, we are assuming that you follow a good security practice and have a BUILD machine to compile, before deploying to your 'secure' servers with no compiler

The problem with RPM...

[eyegone]

Is that the rpmlib API is almost completely undocumented. As GoRK pointed out, management tools such as apt, rpmfind, up2date, etc. are far more important than the underlying package format.

But it's very difficult to create those management tools for RPM when the API is a "black art" known only to a few. Questions on the RPM mailing list/newsgroup will generally be met with the advice to "use the source, Luke"--all several hundred thousand lines of it!

Re:The problem with RPM...

> Is that the rpmlib API is almost completely undocumented. As GoRK pointed out, management tools such as apt, rpmfind, up2date, etc. are far more important than the underlying package format.

I disagree; with a good packaging format, a better management tool than what's out there can always be written. With a poor format, you can only write so good a tool and then you're stuck wishing for a format feature.

Re:strtok

[pv2b]

Stupidly designed functions don't lose data centers. Sloppy programmers lose data centers!

It doesn't insert null pointers between the fields, it inserts null terminators, '\0'. If you're treating a char as a pointer, that's a big problem in itself.

Understand the function before using it. If you do not understand how to use the function, you shouldn't.

If you want to bash functions, bash people using strcpy() etc instead of strncpy().

What's next, you complaining that the C language allows you to do stuff without error checking? Get over it. If you want some kind of security net against buffer overflows and strack-smashing, use Java or something.

Loki Setup

[man1ed]

Loki Setup is now maintained by icculus.org. However, I think that any good package scheme (read: RPM, DEB, Portage, or whatever) is better than this if the administrative tools are good.

Because you haven't looked?

[autechre]

http://freshmeat.net/search/?q=installshield
http ://freshmeat.net/search/?q=installer

Everyone and their brother is probably writing an installer (although more people are apparently writing MP3 jukeboxes, Web image galleries, and CMSs. Trust me.) Can't say I'm seeing a "clear winner" though, which is also the case with apt front-ends.

Re:Binary packages: Security suicide

[Percy_Blakeney]

I don't understand why so many ostensibly clueful people are so enamored with the whole concept of binary distributions.

...

Obviously, for large software packages, you probably don't have time to read every last line of code.

That is the understatement of the year. I would dare say that in order to read and understand a program that is on the order of five million lines, it could take you a year or two. For a non-expert programmer (or even an expert with no operating systems experience) it could take forever to just begin to understand something like the Linux kernel source.

But what I generally do is untar the source and then grep through it for suspicious things.

That's great if you know what you are an expert programmer (and if you think that a simple grep will help you that much.) But what of the small business that doesn't employ you? Do they need to perform that same review? Of course, they could skip it and just compile the thing, but that is the same as just using the binary packages!

You may as well just hang your Linux box out on the net with 500 open ports and no firewalls.

Baloney.

Because a well-hacked program will allow the hacker to get at your data, firewall or not.

A well-hacked program will be completely invisible to you, as well. Your grep methodology is too simplistic to catch any sort of sophisticated trojan. Even if you were to laboriously go through the code, line by line, you still wouldn't catch anything but the most obvious of hacks/problems.

The only way you can be completely sure is to read the source.

No, the only way is to not run it. Software is not a mathematical formula that you can "prove". Large programs are horribly complex, as you most likely already know. Binary packages serve a very useful purpose for many people. If you choose not to use them and to perform some limited form of code review, then that is great for you, but don't try to demean anyone who doesn't do the same.

Re:Why get binaries

[ncc74656]

I love Gentoo, but I can entirely understand someone not wanting to spend 18 hours compiling OO.org or KDE.

Gentoo provides binary downloads of the larger packages. The stage 3 tarballs (available in multiple flavors to accomodate different processors) provide the basic system, while v1.4rc2 includes the Gentoo Reference Platform (GRP). GRP provides prebuilt X11, GNOME, KDE, Mozilla, and OpenOffice on x86 and PowerPC systems. (It doesn't seem to have been updated for newer Gentoo versions, so it's no doubt a few versions behind now.)

Binary packages are somewhat ignoring the point of Gentoo...yes, they speed along deployment if you have a bunch of machines to roll out, but you could achieve the same effect on a bunch of identical machines by doing one install in the normal manner and then just clone that install into the other machines. The desire of some people for a quick install hasn't been completely ignored.

(For my purposes, I'll usually start with a stage 1 tarball. I built 1.4rc4 inside VMware on a WinXP box at home; even with VMware only letting Linux see one of the two processors in that system, the build ran quickly enough. Once I migrate my stuff off of the existing server config, alfter.us will switch from Linux From Scratch to Gentoo. I've had it running on several servers at work for a while now...it combines the performance and security of Linux From Scratch with most of the ease of setup of a conventional Linux distro.)

Re:Why get binaries

[man1ed]

Or even half an hour getting Moz-Frirebird
Half an hour? You spoiled, dual 3GHz-running... guy! Seriously, it's more like 4-5 for me.

Re:Binary packages: Security suicide

[mickwd]

Have you ever heard of signed binary packages ?

Mandrake RPMs are security-signed, and if they don't have a valid Mandrake GPG signature, you get prompted as to whether you really want to install them. I'm sure most other distributions which use binary packages do the same.

Even more pertinent of a question:

[bazmonkey]

Why should we choose a binary format when we have Gentoo with which you can download the sources and build your own optimized binaries..

Why should we choose Gentoo when we have the actual sources, with which you can download and build your own optimized binaries?

Mod Parent Up!!

C'mon, people. This is obviously a joke. It might not be deserving of a 5 (I think it is, but that's not important), but it certainly isn't flamebait.

Re:Mod Parent Up!!

[pv2b]

Actually, I was being half-serious. :-P

Obviously another case of moderators pushing their own agenda.

Re:Binary packages: Security suicide

[DNS-and-BIND]

Putting a compiler on a production machine is a sure sign of an amateur. Any linux noobs out there want to debate this?

Slashdotted.....

[cansecofan22]

Here is the link to googles cache of the site:
CLICK HERE

Installing from source can tend to be easier...

[???]

Installing from source can take less time and be much easier than installing binary packages. Binary packages depend on one specific set of library versions. For many packages these dependancies are difficult to maintain, without a cascade resulting in the need to upgrade many other packages in your system. If you're building from source, though, you can build the package against whatever versions of the libraries you already have installed...

Re:Installing from source can tend to be easier...

[Q2Serpent]

I'll bite.

For a desktop linux distribution, I run Mandrake. Currently, I'm running Mandrake 9.1.

Let's say that today, I want to install a common package that I don't have, but want to use, like kismet, the wireless sniffer (http://www.kismetwireless.net).

So, this is what I do:

# urpmi kismet

and how long does it take?

# time urpmi kismet
ftp://ftp.club-internet.fr/pub/unix/linux/ distribu tions/Mandrake/9.1/contrib/RPMS/kismet-2.8.1-2mdk. i586.rpm
installing /var/cache/urpmi/rpms/kismet-2.8.1-2mdk.i586.rpm

Preparing...
(Lameness filter hashes)
1:kismet
(Lameness filter hashes)
3.61user 1.13system 0:28.03elapsed 16%CPU

Yeah, that's 28 seconds.

Now you, compile it from source. How long did it take?

Now, I realize that kismet is something that someone else packaged up specifically for Mandrake 9.1, and it happens to be in the contrib section on a mirror for me. But, so is tons of other *common* software, and it's all that easy to install (yet, full dependencies included).

Of course, if I want to install something that isn't built for Mandrake 9.1, I can compile it from source just like you. But that's not slower either. In fact, if I spend an extra few minutes making an RPM out of it (granted some sources are harder to make into RPMs quickly), I can not only install it easily on this and any other Mandrake 9.1 machine I want it on, but I can also uninstall it, and upgrade it, with full dependency checking.

Compile everything from source? Hah!

If you don't do that, you have bigger problems.

[Population]

Let's be honest. If you don't follow the correct procedures in the beginning, anything you attempt afterwards will be a band-aid(tm).

Security is a process, not a line item.

Security requires more time be spent and more effort be expended than unsecure practices.

Right up to the point where someone or something happens to your systems.

On trusting trust

[dsplat]

For example, if it's not a networking application, then I'll usually grep for system calls like connect() or bind() .. a dead giveaway that somebody has tried to slip some kind of a backdoor into the code. If I find something like that, I rm -rf it and forget it. You can also search for calls like gets(), strtok(), fopen(), and other well-known security risks and fix them if you feel like it.

I have two questions. What percentage of the packages you use did you download the source for and grep through? And how many of them did you find trojans in?

If you have not checked your trusted base (kernel, compiler, linker, libraries and whatever tools you use to look at the code), then you can never be completely sure. See Ken Thompson's article, Reflections on Trusting Trust for an excellent explanation of why.

OSX Packages

[MBCook]

I LOVE the way software is done on OS X (and infact the whole Mac platform for a VERY long time). To install a program, you drag it's executable somewhere. To delete a program, you drag the executable to the trash. Sometimes it's in a folder with some other stuff, but whatever. No apt-get blah. No emerge blah. No d:\setup.exe crud. Just drag and drop. Same to erase. Same to move the program around on the disk. No hidden config files. No registry. No DLLs hidden in c:\something\somewhere. Just simplicity. And they way that nearly everything you'd ever want to use is in the same place (and you can categorize it yourself) works as a startmenu of sorts. While I like Debian's packages the best (of all the many Linux distro I've tried), the Mac knows how it should be done and that's what we should be striving for. Putting libraries in one place and bianaries in another and documention in another and... may seem smart and may work well when you have a package manager, but if you install a package by source, it can be a MAJOR pain to remove everything it installed. For user installed programs, it's utter simplicity and nirvana.

I'd put Windows just a little ahead of Linux (because of the multiple formats of Linux packages), but OS X (and all Macs) are way out in front in this arena, IMHO.

Re:OSX Packages

[arose]

To bad it doesn't work on an open system.

Re:OSX Packages

[IamTheRealMike]

I don't agree. To install software on a Mac, you have to:

1) Open up your web browser
2) Find it on the web.
3) Download the DMG
4) Open the DMG (i know safari does that for you, good usability that, magic self destructing folderfiles)
5) Decide - is the icon an AppFolder, or an installer? Installers are rather common on MacOS these days, primarily because a pure appfolders system is too limited.

5a) If it's an AppFolder, open up the finder
5b) Navigate to Applications
5c) Drag and drop the appfolder in
At this point, there is no system integration (file associations), and multi-user control is questionable.

6a) If it's an installer, run it, and hope things work well.

Now is that truly easier than:

1) Open a terminal
2) Type in the name of the software you want
3) Run it.

.. at which point you have good system integration, with internationalized, self organising menus.

Well. Is it easier? I don't think so. The Mac way is more work for users, it's more limiting for developers.

The main problems with the Linux way are that it's not always that easy, and when it is, it's still not got an intuitive GUI (synaptic is too confusing really). Well, there are solutions to both of those, and people working on them.

Bear in mind that "installation" as a process can be entirely abstracted by a good user interface. It can be as simple as drag and drop, but WITH all the benefits of a strong packaging system.

Believe me. If all goes according to plan, Linux is going to end up with the most kickass software installation system the world as ever seen. It's going to rock. I can hardly wait :)

Re:OSX Packages

Well, considering the level of detail you went into on the Mac (thinking of "Navigate to Applications as even mentionable??"), lets revise your linux steps.

(1) Login
(2) Become superuser
(3) update your package management database
(4) figure out the exact package name (which varies from rpm to deb to etc, etc)
(5) install
(5: optional) if its a source-distro (a'la gentoo), wait for it to compile, and hope you even have a compiler)

However, using your linux-level abstraction steps, Mac OS can be reduced to this:

(1) Double-click on file
(2) Drag and drop to *anywhere*

Re:OSX Packages

[IamTheRealMike]

We're talking about generics here, it's fairly trivial to make updating the database automatic. Then it's just a case of "sudo apt-get install foo", or whatever. And yes, I know it can be improved upon, but the basic concept allows for installation with very little effort.

Re:OSX Packages

[softweyr]

If you like the current state, you're going to love it when developers embrace the "multi fork" file concept. The fly in the ointment you describe above are all the other files that go along with the application -- configuration, libraries, etc. Multi-fork won't help with the libraries (I don't think) but it will allow a programmer who is writing for OS X to attach configuration files and such as forks in the executable itself, rather than separate files.

I have no association with Apple other than sideline cheerleader, but this multi-fork filesystem concept really intrigues me. Good idea if used properly...

Re:OSX Packages

[FooBarWidget]

How does it do dependancy handling? Or are you going to tell me that each and very app bundles their dependancies with them, wasting harddisk space, memory, and most importantly: bandwidth?

Using Gentoo (source) versus binary?

[xtrucial]

I've been running Gentoo for a few months. I *love* the package manager, except for occasional compile errors (latest problem is with Bash 2.05b-r5).

Anybody know if binary package management would be more stable, but still allow for the somewhat bleeding-edge version releases of Gentoo? I haven't used a binary system in years, so I don't recall what it was like.

Re:Debian vs RPM vs tgz

[ptr2void]

Seriously, RPM or .tgz are the only format you need.

Any reasonable arguments for that claim?

Re:Because of /.ing

[mcc]

Wow. It's just like an M.Doughty poem when you format it like that.

The difference is the Debian community.

[Population]

You cannot get your binary into the main site without going through a social screening process.

This allows more standardization than amongst the various .rpm based installations.

Standardization means fewer problems for the rest of the users.

But it means more work for the people developing the packages.

Its about how you can get them...

[Kegetys]

I cant read the article since it seems to be slashdotted, but in my opinion the RPM's and DEB's etc. seem all equally good, the difference comes from how easily you can get them and whatever the package depends on. I wouldn't care if my Debian box would use RPM's, as long as I could still use apt-get to grab them and the dependencies.

Re:Why get binaries

[Mr.+McGibby]

See A whole lot of unecessary effort

Re:Because of /.ing

[fearlessrogue]

The return key is a good thing. See?

Re:Binary packages: Security suicide

[njdj]

All of this goes away if you download and install binary packages. You may as well just hang your Linux box out on the net with 500 open ports and no firewalls....The only way you can be completely sure is to read the source.

You haven't read the entire source of the GNU/Linux system you're running, so you have no business telling us that we ought to do it!

Why am I so confident you haven't read the source? Because it's not possible. Even a relatively basic Linux install will correspond to over 2GB of source code. That would be about 800,000 pages of a typical book (2500 to 2800 characters per page). Source code is typically much less dense in terms of characters per page, so it would be millions of pages. It would take you several years to read it, by which time the bits you'd read first would be long obsolete.

Re:Binary packages: Security suicide

[WoodstockJeff]

One of the problems with open source packages are dependencies... One program I used to keep track of requires you download and install, from various sources, at least three and up to over a dozen other packages to install it. Many of the required packages are already installed on my system as part of the Mandrake or RedHat install... but not the source code for them, so I can't install the desired program until I gather the other parts.

Ever try to gather all the parts needed to compile PHP? I have - we needed the calendar functions which, for some reason, aren't included in most Linux binaries. It didn't complile properly, though; we ended up implementing the needed functionality as part of the scripts themselves, rather than relying upon the "buildable-in" versions.

Binary distributions aren't evil, just because they're binary. If you feel this way, I hope you don't accept those binary installation disks for Linux, since the only safe way to install it is to compile it completely from source, and hand-copy it to a virgin hard drive...

Cause and effect

[zoeblade]

Cause: The word "apropos" is used in The Matrix: Reloaded
Effect: The word apropos is used on Slashdot.

Re:Cause and effect

[csguy314]

Concordently, the irrevocable flaws of the open source package systems are inevitabily expressed as both beginning and end. The chemical precursors undoubtably signal the quintessential human delusion that is simultaneously the source of our greatest strength and greatest weakness, our contingent affirmation from profound attachment to our software, vis a vi "love of open source".
Ergo, the otherwise contradictory systemic anomaly displays the emergent grotesqueries of our race, thus leading to the far slower acceptance of our source.

Uhhh, does anyone have any idea what I just said? cuz I sure dont...

Re:Cause and effect

[qtp]

Cause: The command "apropos" is used in unix.
Effect: The word "apropos" is used in The Matrix: Reloaded.

Cause of usage of "apropos" on /. : probably a little of both.

Re:Because of /.ing

[ptr2void]

suggestions yes no no no no conflicts yes yes no yes yes

Ahh, I understand...

How about just configuration hell?

[swb]

One of many things that drove me to FreeBSD from Linux was binary packages, specifically RPMs. I built enough stuff from tarballs by hand to know that outside of a few smaller sysutils, many things have a ton of compile-time configurables that aren't modifiable at run-time, such as config file locations, logging options and other sundries, not the least of which might be compiler optimizations, linking options and other things.

Mostly you have no idea what options the binary package builder chose. Some could be stupid, some could be 100% opposite of what you actually want. I always wished there had been a rpm --build-option that would have printed out a summary of the options chosen by the person building the package.

I eventually just took to unpacking SRPMs and building stuff myself, but even that became tedious.

AFIAC it's another bit in FreeBSD ports' favor. I can make extract, check out the build options tweak them and then install the application; a good combination between building it by hand from tarballs (and hoping autoconf or something works right) and accepting a binary that may have been built by someone like me...

Re:Binary packages: Security suicide

This is why debs are signed. Run MD5 on the deb you download and compare it to the one that Debian shows. If they're not the same, delete the package. Don't trust the Debian packagers? Then why the hell are you using their software?

Re:Binary packages: Security suicide

[phorm]

One of the biggest selling points of open source software is that it is precisely that -- open

Or you can choose not to and use a binary. It's about choice and flexibility, not my-way-is-best or "just trust me." I've had some cases where my compiled versions simply aren't quite up to snuff... either because my compiler version is off or other reasons - and the binary worked much better.

The whole my-distro, my-way is just going badly for all open-source. Really, if you have the skills and time to edit source, compile it, etc - go ahead. If you need something to run or can't compile, go binary. And as far as insecurity, don't trust something without a verified signature - even with source there could be something easily overlooked in thousands of code lines in a non-popular module

And hell, what your doing directly influences what you use.
My laptop? I don't really need the segregation of /var, /home, so I just assign it to /. Different on a server (having /var/log or /home spill into root or /usr is bad).

Servers, a lot of care going into what I put there, optimization, not binaries or precompiled kernels, mostly stuff from deb packages. I also use debian 3.0

Desktops... hundreds of 'em at work, all a mishmash of hardware. I'm looking at the beauty of knoppix or morphix and eying it as the successor to all those nasty win98 machines there.

Oh yeah, and even windows has a place... but that's getting smaller and is generally restricted to me games.

The deal on linux is choice and flexibility. It's not about not-using-windows, or a geeking competition, it's about using what you want and getting what you need. A lot of people tend to forget this.

Binary packages don't mix with source packages.

[arcanumas]

The article must be slashdoted because i can't get it.

The RPM/DEb ideas are really good. The main problem i have however , and don't really know how can be solved is combining binary packages with source code packages (eg. when you compile you own X). When the time comes and you want to update , let say Libc, then you will be unable to do so because the dependecies include almost every package.
Or when you compile a program that is listed as a dependency to another program , you can not install that other program because compiling from source code does not update the RPM database.

It seems that binary packages are only good when you stick to what your vendor offers you.

Using --nodeps is not the solutions because it defeats the whole idea of depencdency tracking.

Re:Binary packages don't mix with source packages.

[scrytch]

The RPM/DEb ideas are really good. The main problem i have however , and don't really know how can be solved is combining binary packages with source code packages (eg. when you compile you own X).

The FreeBSD ports system solved this a long time ago. Its dependency manager is based on make. It has a library of commands in sub-makefiles to check for things like libraries being installed, so for example when you install an app that requires qt, it checks for libqt.so using commands like ldconfig. It doesn't check for the package, it simply checks for the actual files that it depends on, and if they're not present, it builds and installs the port that contains the dependency. And ports are installed as packages and can be managed with the package manager. You get the best of both worlds. What's great about ports is that if you want to tweak something in the makefile, like options, or in the source, you just go into the source subdir, do it, then go back to the port and "make reinstall". You get your package built just the way you want.

RPM is capable of file-based dependencies instead of package-based, but the way RPM's have been managed, they typically don't (or they get it woefully wrong, as I've seen with RPM's looking for perl in a specific and wrong place, and not even trying a "which perl"). Thus you get the web of dependencies problem with RPM. debs are similar, but dpkg and apt manage them so well, there's rarely a real problem. There's a facility to build "fake" .debs, but it's pretty cumbersome to do.

When the time comes and you want to update , let say Libc, then you will be unable to do so because the dependecies include almost every package.

Library versioning is typically resolved by simply keeping the old version around and installing the new package side-by-side with the old one.

Re:Binary packages don't mix with source packages.

[runswithd6s]

Hark! What is this! I believe it is a person unfamiliar with the coolness that is apt-get and dpkg. Debian packages actually have a field called "Build-Deps:" that lists versioned dependencies on source packages. Yes, there is such a thing as a source package. In Debian, a source "package" is actually three files: the "original" tarball of the source code (*.tar.gz), the Debian Source Control file (*.dsc), and the patch file (*.diff.gz).

Building your own binary involves making sure your "deb-src" line has been entered in your /etc/apt/sources.list file and then running the following commands:

$ apt-get build-dep PACKAGE

$ apt-get source --compile PACKAGE

You can certainly keep up to date w/most of the packages you need by recompiling in your own custom environment. Pull a couple source packages and test it out.

P.S. You can get around with not having to use apt-get's source.list file if you download the appropriate files yourself. Then use dpkg-buildpkg from the build-essentials package to build each package dependency manually. You are definitely NOT locked in with Debian.

Re:counterproductive

[cdc179]

I don't see this as a problem. I personally am glad that there are many packaging systems. This gives me the freedom to use what I like best (deb).

If things were unified to one system your freedom would be taken away. It is surpassing on how many people are willing to give up this freedom.

One of the biggest advantages of the OpenSource movement is that the end user has many choices for just about every aspect of the system.

Live Free Or Die!

RPM is best because of the support

[yajacuk]

I have only recently come across the freshrpms.net site, and I have been amazed at the work that has been there. The site helps the user to find, from a list of supported packages, the most recently rpm packages available for their systems. This site along with rpmfind.net, and tuxfind.net is what makes the RPM packaging system so successful.

I have on the past thought about changing distros, from Red Hat to lets say SUSE, Mandrake, Conectiva, etc, but I haven't mainly because of their support (at the time) for rpm packages was not very good.

Is RPM the best solution for the person who is looking to install software on their Linux box? I have my complaints, but since when does the best solution for a problem is the one most suited for the job?

Where Is that Lib.

[ratfynk]

Problems with package formats is the endless failed dependancy problems caused between different distros. Take a simple little apps like Kmol, a good simple little mol wieght calculator, it will run fine if you use the usual sane kde lib paths and do not suffer from rpm obfuscation disease. So I just make darn sure I read the deps to ./configure --with before I compile from source. What I find rather disturbing is that good freeware is being made difficult to use by the constant path alterations by the major Linux distros RedHat and Mandrake. Another great example is Kstars a great fun astronomy app it runs like crap when installed in rpm binary format, but can really smoke with it installed correctly in KDE3 Slackware.

The constant changes, in path structure in RedHat even between close number releases is not a good thing. It is more akin to a Microsoft like tactic than sensible advancement of an OS.

Perhaps a killer app for linux would be a Pathmaker that reads dependancy requirements goes out and checks the install paths before you ./config. Similar to gdb but easier to step through. Then it could help identify and rewrite any path errors in the source for the user. If the software determines that you do not have a required library then it could help the user to install or see if installing it might cause havock.

The current state of free software for Linux is becoming more and more difficult for the ordinary user to deal with. A logical tool designed to help the ordinary user to use source would sure be great. There are great dev tools in Kde and Gnome but there is a severe lack of a sensible integated install tool for non-coding users.

Re:Where Is that Lib.

[N7DR]

Problems with package formats is the endless failed dependancy problems caused between different distros.

I concur, but not for the reason you give (paths changing from one distro/release to the next). What I have seen far to many times goes like this:

Package A says that it needs to update Package X from a.b.c to version a.b.(c+1). Package X for version a.b.(c+1) says that it needs to update Package Y from version d.e to version d.(e+1). And in next to no time, one is being told that one needs to completely reinstall KDE or the DHCP daemon or something else that is utterly unrelated to package A -- and is so fundamental to the system that there is no way that I'm going to change it just to install Package A.

I frequently wonder under these kinds of circumstances how many packages are lying when they see version a.b.c on my system and say that they really need a.b.(c+1). A lot of the time, I suspect that it's just that the person who built the package had version a.b.(c+1) and there is in fact no reason at all why the package wouldn't work under a.b.c.

The long and short of all this is that whereas I love the idea of RPMs, in practice I find them less than useful.

Re:Binary packages: Security suicide

[CoughDropAddict]

Why? A compiler is only a translator. How is the ability to translate an arbitrary C program into assembly going to aid an attacker? The attacker could just as easily precompile the program themselves.

Re:Binary packages: Security suicide

[DNS-and-BIND]

Compilers go on development boxes. Production boxes don't have compilers...why on earth would you need one? Don't tell me you're compiling code on a box that's in production!

Portage has binary packages too, kinda

[fo0bar]

While technically a "binary package format", Gentoo's Portage has a way to create binary tarballs of merged programs. However, this is not meant to be a way to distribute software to random users; instead it's for setups where you have a bunch of similar machines and want to compile once, install many.

When you merge a package, do "emerge -b package". It builds and installs the program like normal, then creates a signed tarball file that you can use to install on other machines. emerge can then take that tbz2 file and treat it as an alternative to the actual compile process.

What we need

[anshil]

is to distance ourselfs from the system V filesytem, and have each package installed in it's own dir, this would make things so much easier.

And instead of the old PATH environment variable idea, think of something new, how about a central file (with user modifyable sub-files) that contains a list of all binaries to be called by default.

Or about a package tree in the bash memory, that holds the information which binaries are callable... etc.

There are so much ways to get rid of PATH, and with PATH away, nothing speeks anymore against installing every package in it's very own directory, making administration and package management so much easier...

Re:What we need

[FooBarWidget]

But why do you even want each package in it's own folder? You launch an application using icons and menus, and that is all a user should have to know! Letting them know/decide where an app is installed to is exposing implementation details to them. They shouldn't have to know about implementation details. They should only have to know what it will work and that's it!

Re:What we need

[anshil]

Yes but also the admins should now where which is. And a root file system should be ablte to nicely spawn over disks.

With SystemV you can't install package XY on another drive (except you put it in /opt and making a symlink but you are violating the systemV structure)

You can hardly have two version of a package installed parallel, you can't simple delete a package without a the workouround of the package manager.

If a package would have it's own dir, all you need to deinstall the package is to delete this dir. Move the package?, just copy the dir. Have another version of the package just have to dirs parallel with other versioning names. etc. etc.

How simple everything could become.....

Re:What we need

[FooBarWidget]

"If a package would have it's own dir, all you need to deinstall the package is to delete this dir. Move the package?, just copy the dir."

If only things are that simple.

What about:
- Library search location
- PATH
- GNOME/KDE file associations
- .desktop files
- Sysvinit scripts
- Some more stuff I can't think of right now

Re:What we need

[anshil]

the only real problems are library search location and path.

I hoped that I've put up some ideas to think out of the box in my original post.

Everything else is a problem of KDE and GNOME, and only applied to KDE and GNOME packages, the two projects also have a way to think about that.

Again just an example how about a central software register tree instead?

Re:What we need

[FooBarWidget]

Ok but what about data files needed by the application or library? Read my other post for more details about this.

Re:What we need

[anshil]

Data files needed by an lirbrary/application lie in the folder of the lirbrary/application.

Yes you are right the user should not care. On modern system the low end user should not even care too much about a filesystem at all.

However admins and developer have to worry.

We have a logical software structure in mind. And we have a hardware software strucuture on the disk. Now why are both different? Why is the hardware structure not organized as we would draw a list of all installed packages on a paper? We think in packages, in catogories, put we create something different on disk for historical reasons. Things should be simply, and help our human style of thinking...

Re:What we need

[FooBarWidget]

That isn't my point. HOW is a library supposed to know where it's data files are if it doesn't even know where it's own .so file is?

Re:What we need

[anshil]

It should look up itself in the proposed package register tree.
(which could be a kernel feature)
The technology would be an improved environment.

Re:What we need

[Permission+Denied]

./configure --prefix=/opt/package/package-1.3 ...

cd /opt/package
ln -s package-1.3 default
find default/bin -type f -exec ln -s {} /usr/local/bin

The "default" link is so you can manage multiple versions of the same package.

In addition to /usr/local/bin, do the same for /usr/local/lib and you never again have to deal with "ldconfig", "ld.so.conf", "--with-whatever=/path/to/whatever", etc. Same with "sbin", "etc", "libexec", "include" and so on ("man" directories are a bit different but the same idea).

Next step is to put all the symlinking into a simple script which is run after installing packages or upgrading/downgrading (eg, changing the "default" link).

Been doing this for years - works great on all systems (Linux, Solaris, *BSD, even MacOS X). Things always compile right out of the box and you can maintain multiple versions of the same library if needed. Only problem is that occasionally a package author assumes that ${prefix}/bin already exists and does not create it on "make install" but that's pretty trivial to fix.

No need to modify the shell. If you start messing with PATH, you also have to start messing with MANPATH, setting different paths for superuser ("sbin"), and then changing your compiler/linker so "include" and "lib" work. And then you have to worry about stuff like "libexec" which contains binaries that may be called from different packages (eg, postfix/qmail/etc replacement for sendmail binary). Just use symlinks and everything just works.

It would be nice if the system were somehow "built-in" so it would automatically download and install dependencies prior to compile from some distributed mirror system (like ports), but that's probably asking for too much.

Zero Install

[tal197]

Zero Install

"The Zero Install system makes software installation not merely easy, but unnecessary. Users run their applications directly from the Internet from the software author's pages. Caching makes this as fast as running a normal application after the first time, and allows off-line use."

• No new commands to learn. All software in the world appears as part of your filesystem (/uri/...) and is cached on demand.
• Secure: nothing is run as root (only as the user who runs it), and GPG signatures can be checked automatically when upgrading
• Network efficient: only what is needed is fetched (no documentation or headers until you need them, then they get fetched automatically)
• Faster: no searching for resources -- everything is referenced by URI; only download package indexes per-site, not for the whole distribution.
• Easy to package for: just make your tree available via an HTTP server.
• No need for depends/recommends/suggests: whatever is needed is fetched when you access it.
• Easy to uninstall: remove anything you don't want from the cache at any time -- it will be fetched again later if needed.

Experimental, but give it a try. See especially the comparison with apt-get and the security model documents.

Re:Zero Install

[MntlChaos]

and you thought cross-site scripting was bad? now we have executables getting copied to your computer from god knows where (read 10 layers down in the dependency tree). now you have to worry about not only what program you are running, but every program it claims to depend on (etc, etc.). one word: ouch.

Re:Zero Install

now we have executables getting copied to your computer from god knows where (read 10 layers down in the dependency tree). now you have to worry about not only what program you are running, but every program it claims to depend on (etc, etc.). one word: ouch.

And this is different to any other packaging system how, exactly? If you run 'gimp', then you have to trust its authors. Whether they have created a dynamic link to another site, or copied-and-pasted the code in directly makes no difference to your security.

Location almost irrelevent

[devphil]

Most packages, including g++, configure themselves to run in one location, and they'll get confused if you move 'em.

Huh? No they don't. Most packages don't give a rat's ass where the binary is located. Historically, GCC was one of the few that did, and recent versions have changed that so that you can move the install tree around.

The remaining few packages that care are mostly just suffering from bad design. Fortunately, as you say, they usually pay attention to environment variables telling them where to look.

Here's a better writeup than what I can fit here, at sunfreeware.com. They've been repackaging open source stuff as Solaris-style pkg files for a long time, so they've good experience with these sorts of questions.

Re:Location almost irrelevent

[IamTheRealMike]

I wish.

On Linux at any rate, virtually an program that uses glade, or loads data files/artwork from an external file, will have paths hard coded into it by the C preprocessor at build time. Removing these hardcodings is a royal pain in the ass.

I'm hoping once we get a nice API and strong implementation projects will begin to deprefix their software with our library.

Re:Location almost irrelevent

[pmz]

On Linux at any rate, virtually an program that uses glade, or loads data files/artwork from an external file, will have paths hard coded into it by the C preprocessor at build time. Removing these hardcodings is a royal pain in the ass.

I've seen this, too, and along with hard-coded absolute paths throughout GNOME files and library .la files, it makes the Windows registry look pleasant by comparison.

I swear that somewhere along the line, open source took a really big step backwards with resepct to libraries and software configuration. There is simply no excuse for so many files to have absolute paths stuck into them (my GNOME 1.4 installation is absolutely a disgrace in this regard). If I had a nickle for each time LD_LIBRARY_PATH was completely ignored in favor of some assinine config file somewhere....

Re:I must be the smartest person on Earth

So smart you posted under the wrong story?

apropos?

[CaptainBaz]

I think you mean something different by apropos than I do.

Appropriate, perhaps?

</pedant>

InstallAnywhere

[dpoolman]

On the commercial side, the most common multiplatform installation tool is InstallAnywhere by Zero G Software. Great tool and certainly has its place along with native binary packages - I've seen tons of enterprise applications that install with InstallAnywhere.

what a day to post this

[joey]

I (author) am currently enroute to Norway, only found out I was slashdotted in the airport. I don't really understand why they posted it today, and not some time in the past 5+ years.. Anyway, I will respond to anything worth responding to sometime later.

uPM anyone ?

[theefer]

I'm surprised nobody mentionned uPM (u as 'micro') so far. I don't know this packaging system very well, but it was discussed on /. a few times IIRC. Seems to be part of uOS, but maybe it can be used on any distro (at least, I see an uPM ebuild on my Gentoo, so I assume this is true) ?

Does anyone have more informations to add about uPM ?

Re:Binary packages: Security suicide

> Why? A compiler is only a translator. How is the ability to translate an arbitrary C program into assembly going to aid an attacker? The attacker could just as easily precompile the program themselves.

...unless the attacker's computer doesn't have the same architecture as the target machine. Linux and the *BSDs all run on a wide variety of platforms; if you were making a max-damage virus, being able to transport the source kit to the targets and make the executable locally, regardless of architecture, would be a good feature.

Take it into context

[worldcitizen]

Considering that Joey Hess is a prominent Debian developer, it is not surprising that Debian looks like the winner.

More seriously, if I recall correctly (I think I saw this a few years ago being mentioned on debian-devel), this comparison was not meant to prove which packaging format is better, it is more like an ongoing self check within Debian on "what we're doing right/what others are doing that we should evaluate". Plain ol' healthy evaluation of your friendly competitors.

And yes, my favorite distro is Debian, after surviving the cultural shock of going through dselect the first time, now I won't accept anyhing less (maybe I should make a t-shirt design "I [debwhirl] dselect" ':)

Re:Take it into context

[Ziviyr]

after surviving the cultural shock of going through dselect the first time, now I won't accept anyhing less

Accept more,

grab aptitude,
learn aptitude,
love aptitude.

Re:Binary packages: Security suicide

[random_static]

plenty other people have already linked to "Reflections on Trusting Trust", so i won't duplicate their efforts. i'll just point out that:

(1) you're _trusting_ that the C compiler really is "only" a translator. unless, of course, you've verified the damn thing yourself, this may or may not be a safe assumption to make. more than likely it *is* safe, of course, but it would be better security to take no more on trust than you absolutely have to - which means, no more code on your important machines than necessary. does the machine need a compiler to do its primary task? if no, it shouldn't have one; useless code can have useless security vulnerabilities.

(2) how is it going to help an attacker? idunno. i don't want to find out, either. any attacker that got through *my* firewall will damn well *have* to precompile their own code (making sure to get all their dependencies right for the target system) then upload the binary, wasting that much more time and effort and bandwidth. this is *good* - it means attacking my system will be that much more work for them. i *want* it to be hard for the bad guys.

(3) sure, the blackhat can precompile and download his own binaries. what if i'm paranoid enough to mount all my "binary" filesystems RO, and all my writable ones noexec? probably a smart enough attacker could work around that too, but doing so without a compiler (or perl interpreter, or whatever else i'm masochistic enough to do without) will be steadily more of a PITA.

security in depth relies on several, independent security measures. each by itself may provide no more than an inconvenience, yet all together may be more trouble than it's worth for any attacker. removing gcc can be one such inconvenience. don't knock it until you've been exploited through it...

Bad Grammar

[Leon+Yendor]

The header said:"... Another reader sends in this guide to creating Debian packages which seems apropos here. " Apropos is not appropriate in this context. Surely what was meant was: Another reader sends in this guide to creating Debian packages which seems apt here.

apropos

[natrius]

Am I the only one who hates it when people use that word all over the place?

file dependencies

[TeknoHog]

This is why RPM has file dependencies, though its usage is up to the packager. For example, most RPMs require the file libc.so.6 but it doesn't have to be from the glibc RPM.

Always looking towards the past...

[sfgoth]

Todo.
* relocatable packages
* support for arch name in metadata, arch indep packages
* multiple version of the same package can be installed simultaneously (is this really a package format issue?)

Sigh. The guy has an entire section on how well "standard" tools can manipulate these file formats, as if the typical user has any desire to do home surgery on their software.

(Well, why shouldn't he? The typical linux user does want this level of control...)

But there, at the end, in the neglected "ToDo" section, are the real issues. Features that put the user in control of their software instead of the other way around. Is anyone ever going to write a package management system that addresses the needs of the user, instead of the sysadmin?

-pmb

apt-get and rpm

[TeknoHog]

apt is not tied to the deb package format. There is apt for rpm, but the lack of apt-gettable rpm sites is a problem. On the other hand, Mandrake has urpmi which is similar in functionality.

Pkg format

[xenophrak]

It is important to note, that for the PKG format (Solaris, etc) that System V does not define certain functionality, but the system vendor may include it. I know that Solaris does support ghost files, editable config files, virtual packages and boolean dependancies, but the chart doesn't reflect this.

Not that this helps out the Linux community in the slightest... ;)

I still think Apple's (NeXT's) App format is still the best. A complete archive including all features and bits of an app that can be moved around at will.

My .02

EPM does 'em all!

[printman]

My EPM software (http://www.easysw.com/epm/) supports the creation of software packages in multiple formats along with a common "portable" format that works on all systems.

Not new

[Ed+Avis]

Ah, this old chestnut. ISTR this comparison of formats was first mentioned on Slashdot a few years back.

I have to take issue with the 'usability by standard Linux tools' columns. RPM _is_ a standard Linux tool and it's easy to install it (or even just rpm2cpio) on systems that don't use it. Systems that don't use RPM would not be interested in RPM binary packages (maybe in source packages, but that's a consideration for only a few users). You might as well advocate making packages in .zip format because this is extractable on MS-DOS too; or storing all your images in xpm format because you can view it as a C header file in your text editor (urgh).

Re:Binary packages: Security suicide

[toomuchPerl]

there's no need to mention that you're an RHCE. Being an RHCE does not suddenly predispose you to knowledge about how to use Linux and RPMs. All the documentation is available on the web.

-malander
don't moderate, flame!

Re:Binary packages: Security suicide

[tzanger]

One of the main reasons I enjoy DEB binary packages which also do not have any of the bad issues you mention is this:

Dude, you can do that with _any_ distro with binary packages. I personally do it with Slackware.

wolfenstein ET installer

I don't know what format it's considered (.run file), but did anyone else install Wolfenstein Enemy Territory on linux? It seriously couldn't have been easier. I executed the file on Mandrake 9.1, a nice little graphic popped up with a logo telling me that I was installing the program, it gave me options of where to install the files to, whether or not to add an entry to the Kicker, etc.

This was the closest thing to a simple Windows installer that I've ever seen on Linux. Absolutely painless, n00bie friendly... exactly what Linux needs to assist in penetrating the desktop.

Re:Linux usability

[binford2k]

Now this whole episode took me a matter of hours. Whereas Windows would take me a whole 30 minutes to choose what I did/didn't want to install and then download my fixes.


Why didn't you just drop them all in a directory and execute rpm -Uvh * instead of manually installing one at a time? That let the package manager do what it does best . . .figure out the best way to install your packages.

As far as the 30 minutes on windows deal, on my Debian box I type apt-get update; apt-get upgrade and walk away. On my Gentoo box I type emerge sync; emerge -u world and walk away. Mandrake has urpmi that does the same thing, Connectiva has apt for rpm. If you would have looked, Redhat8 has an automatic updater that will do it for you. Shit, even Slackware has an automatic updater in the works.

Get your information straight before you bitch. Just because you can't figure it out doesn't mean it doesn't have that capability.

/usr/lib/rpm/rpmi

[r6144]

This file is usually statically-linked, and can be used instead of RPM to install packages in case of emergency.

no .sh

[taxtropel]

I was disappointed to see that there was not an included compaison of the .sh (or other script) wrapped packages (usually .tar.gz (.tgz) or .tar.bz2).

Re:Binary packages: Security suicide

[dissy]

> Dude, you can do that with _any_ distro with binary packages.
> I personally do it with Slackware.

I didn't mean to imply that only deb can do this. Just that its what I happen to use.
The parents post was claiming that building from source each time is the 'only way', which was what I was arguing :)

Re:Why get binaries

[agrippa_cash]

Half an hour was a guess. It was less than 3 for sure though. I have XP1700+ with 512mb of ram, so don't get too jealous.

Re:Binary packages: Security suicide

[UnixRevolution]

(p2 200 and the like)

That's quite a trick, since the slowest Pentium 2 made was a 233. Underclocking for longer hardware life? :)

Dependency in Slackware

[LinuxSneaker]

The developer of swaret (update utility for Slackware) and I have been working on resolving library dependencies when a user installs or upgrades tgz packages in Slackware. To make a long story sort, it works great. New release due out 13 July. Info at http://swaret.xbone.be.

Why it's not as important as you might think.

[mindstrm]

I've used many systems, and many package systems.. from old machines where there really was no concept of a package, to debian, with it's superb package management, and everything in between.

The only conclusion I've come to is this: The package format itself isnt' so important.. what matters is the whole system approach to packaging and distribution.

Take Debian. Everyone agrees, I think, that the debian package format, and apt, together make for a great system.. but that's because of the method of package distribution and tracking, not the packaging system itself.. that and the fact that it's fairly universal in the debian world. Several apt repositories make up basically all software available for debian... and it's a lot. SO the overall experience is "Great package management". It's not just about the format, but the people.. people know what's in the standard packages, and can refer back and forth to them, checking for compatability and whatnot. The overall appraoch to package management is what rocks.. not the binary format.

Look at OSX.. they have fink. Fink, if you don't know, is basically apt-get for OSX. Works fine, no problem... except, it puts stuff in it's own folder (/sw) and it doesn't necessairly know about apple stuff already installed.. it only tracks stuff that is in the fink repositories.
In other words.. it's useful, but it doesn't have the feel of a really great package system.. because the system itself isn't based on it.

People say "ports rocks" in bsd land... but why? Becasue it's superior? No.. just because it's a big collection of useful stuff that handles dependencies well. The actual package management system is extremely basic. But the system is more or less based on it, so it works very, very well.

Redhat.. is kind of a mess. Is it because rpm sucks? Heck no.. it's just because, well, the overall approach wasn't right.

OSX.. (yeah okay I'm a mac fiend now.. I admit it.). What package management? Apps tend to be one single file, which is a package containing all the bits and pieces. No real package management system to see what's installed or not.. and who needs it.. you can just go to the Apps folder and toss stuff in the trash to get rid of it. The system was designed to work that way. so it works really well. You don't say "Gee I wish the system tracked apps" because it's so very simple to get rid of them, and to ferret out any pieces they may have left behind, which is rare..

So overall... the complexity of the package management isn't as important as everyone sticking together on how things are going to be installed and removed. If everything works the same way, it doesn't really matter how sophisticated it is.

OOOOPS

[Allnighterking]

Couple of points.

He states that rpm is not unpackable by standard tools.
Can an experienced user, when presented with a package in this format, extract its payload using only tools that will be on any linux system? They can remember a few facts to help them deal with the format, but remembering file offsets and stuff like that is too hard.

First problem I have is with the "any linux system" Ummmm I've a Linksys router running Linux that can't do jack with any of these. Next an RPM is actually a cpio archive rpm2cpio is actually just a tool to shortcut what is doable with cpio. This applies as well to all of the "standard tools" statements. I also would like to point out that standard depends on which standard you use. Posix, LSB etc. In that rpm is a standard of LSB but not of Posix.

His statement that binary programs are not allowed.
Must these programs be scripts, or can compiled binaries be used as well?

This is very, unclear. Can I execute a binary from within rpm. The answer is yes. I do it all the time. Can RPM be made directly from binaries (skiping all of the build etc.) Yes it can. Can I embed the binary in the RPM and not have it ever get installed... no. But I can run it then remove it before RPM finishes.

Suggestions ... he states that RPM doesn't have them.
A suggestion says a package may sometimes work better if another package is installed. The user can just be informed of this as a FYI

This is really the fault of the packager not of the product. There are two areas for comments which can give you this kind of data ... but it's up to the packager to use the tool. Second the author needed to get a little deeper into rpm's queryformat (info here) He would have found much of what he needed.

Statement that RPM can't do Boolean Relationships.
This means that a package can depend, conflict, etc on a package AND (another package OR a third package). Any boolean expression must be representable, no matter how complex.

RPM does have the conflicts and the depends paramaters that can be set. Once set you can't install a without b and c, plus removing y and x.
HOWEVER he is very right about the boolean "or" being missing... I've been championing this one for a while (I've talked with some of the developers.) but it seems it hasn't up till now been high enough on the horizon to have someone take a shot at it. (Sorry but it's beyond my ken to work on this personally) So I will keep politely advocating this until it does break the plane of need.

New Section

Sorry but this stament is just too nebulous. It's been coping with the unforseen for years. Just as debian has. That's why it get's upgraded. That's in fact a lot of the reason for the new version coming out now. To make the format more modular. and easier to mutate as times change.

All and all the article seems well done. However I'd say the chances are pretty strong that the author is a Debian fan. My personal recommendations would be. One lose the subjective nature of a number of statements. Next, when doing research be careful how you ask a question. Often times asking "Can this product do X" will yeild a no. But if you ask .. On a system that uses this product how do you do X" will yeild a completely different answer.

I'd give this article all in all a 6 on a 1 to 10 scale for research. a 3 for new info. and a 7 for layout and style.

Re:Binary packages: Security suicide

[dissy]

$ cat /proc/cpuinfo
vendor_id : GenuineIntel
[snip]
model name : Pentium II (Klamath)
cpu MHz : 233.869
[snip]

Doh, i guess you are right!
Dunno where the 200 number stuck in my memory from.

Re:Binary packages: Security suicide

[lars_stefan_axelsson]

A well-hacked program will be completely invisible to you, as well. Your grep methodology is too simplistic to catch any sort of sophisticated trojan. Even if you were to laboriously go through the code, line by line, you still wouldn't catch anything but the most obvious of hacks/problems.

Here it would be fitting to point the original poster to Ken Thompson's Turing award speech, Reflections on trusting trust.

To quote:

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

Re: FYI, installing RPM's on Debian

[raboofje]

Debian includes the 'alien' tool which:

Alien allows you to convert LSB, Red Hat, Stampede and Slackware Packages into Debian packages, which can be installed with dpkg

Not sure how well it handles dependencies and such, though.

Re: .deb and the port collection

[raboofje]

It's interesting to see how similar the .deb system is to the FreeBSD Ports collection, if you look beyond the details.

Useless article

[craig2787]

They didn't review FreeBSD's, one of the best there is. What a fucking waste of time.

Re:Useless article

[jo42]

That's because the Linux f'g-boys have their heads up Linus' backside...

Re:Why gentoo reference binaries weren't covered

[raboofje]

... is that this article was writtin 5 years ago. I don't believe Gentoo really existed back then :).

Re:Binary packages: Security suicide

[jaywee]

No, YOU are the illiterate here.

In case kiddie doesn't find gcc on the system, kiddie easily compiles binary on different system (although i agree that in case it's some less popular platform, it would be a bit harder).Then kiddie uploads the code to your server via something like netcat or even copy&pastes(!) base64 encoded binary.

And no, deleting uudecode won't help either - it's trivial to write some decoder in your favourite shell...

pkg format

[Pflipp]

I'm somewhat amazed that there used to be a standard package format for SysVr4, which I think many Linux distros model after. Why is it historically so that every distro seems to need its own package format, instead of adapting towards the standard?

Problem is a bit bigger than that

[FooBarWidget]

I'm one of the developers of the Autopackage project, and we have bumbed into the relocateability problem since Autopackage allows user (non-root installs).

In Linux (dunno about other Unices), there is one way to tell where the application's binary is: by dereferencing the symlink /proc/self/exe. However, this only works for applications, not for libraries. We still haven't found a solution for libraries, so for now we are using a "semi-hack" solution called libprefixdb.
Using a shell script is another solution (since shell scripts can find out their own location), but too only works for applications.

Personally I don't understand what's the big deal about AppFolders. How do you want to handle dependancies? I don't think that shipping all dependancies in the app folder is a good and efficient solution. That'll make us no better than Windows apps which also ship all their dependancies.
And second, why should the user even care about where an app is installed? They launch the app using icons and menus, and that's the only thing they should have to know! Letting them know where the app is installed to is exposing implementation details. Users shouldn't have to know about that (unless they're programmers or something).
And installing each app in it's own folder would require 200+ entires in your PATH variable and /etc/ld.so.conf! I don't think that's a good thing.

Re:Problem is a bit bigger than that

[mamas]

>And installing each app in it's own folder >would require 200+ entires in your PATH >variable and /etc/ld.so.conf! I don't think >that's a good thing.

Why doesnt it work out as ldconfig?
Each program would be installed into a seperate folder, and there would be a tool that would manage symlinks into /usr/bin and stuff. that way you dont get the 200+ entries in your PATH and ld.so.conf.

Re:Problem is a bit bigger than that

[FooBarWidget]

"Why doesnt it work out as ldconfig?"

Because it doesn't work with non-root installs. We'll have to append lots of paths to LD_LIBRARY_PATH for that.
I *think* that ld.so can handle 200 entries in ld.so.conf but 200 entries in PATH is just inefficient.

And of course there's always the relocateability issue. Let's take GTK+ for example. My libpango-1.0.so is installed in /opt/gnome22/lib.
It loads modules from /opt/gnome22/lib/pango/1.2.0/modules dynamically.
Let's say I move Pango and all of it's other files to a new prefix, /opt/pango. How is Pango supposed to know that the modules are in /opt/pango/lib/pango/1.2.0/modules? There's no way to find out libpango-1.0.so's location automatically.

"and there would be a tool that would manage symlinks into /usr/bin and stuff"

Which kind of defeats the point of installing each app to it's own folder? I thought the primairy reason why people would want that is is reduce clutter in /usr/bin or something. Symlinking like this only adds more to the clutter.

Re:Problem is a bit bigger than that

[mamas]

>Which kind of defeats the point of installing each app >to it's own folder?

Well the way I see it, it wouldn't be clutter. It would be lots of links automaticaly managed by some tool. When you remove some program, by deleting its directory, you would run the tool again to remove the leftover links, just as you manage libraries with ldconfig.
To make this work we would have to let ldconfig handle scan directories recursively. Then you would point LD_LIBRARY_RECURSIVE_PATH to this directory. For example, imagine that all programs are installed under /opt
This tool would recursively look for executables and place links, in say, /apps/bin.
ldconfig would descend recursivelly to /opt and place its links in /apps/lib.
of course then you would have to add ignore path options to ld.so.conf.
for relocatibility, isn't it possible to know the path of the executable? ex: /apps/lib/libpango-1.0.so.0 would point /opt/gnome22/lib/pango/libpango-1.0.so, so the lib or app could know that its real path is /opt/gnome22/lib/pango and use it.

This would allow a program to find its resources too. Like configurations and images.

I guess my idea fails somewhere, I just dont see where...

Cheers

Re:Problem is a bit bigger than that

[FooBarWidget]

What about multiple versions of the same app/library?

Re:Problem is a bit bigger than that

[mamas]

How do you handle it now?
Suppose two versions of the same app.
If the executable name is the same, one of them must be given preference in the path, or you execute it directly. Say, /usr/bin/kate or /usr/local/bin/kate.
In our case, during the link contruction by this app we are talking about, if the tool is pointed to /usr to construct the links, a conflict would appear, and it would have to be solved. It would give a warning and choose the first one, or would give an error and expect the user to do something. Maybe a central file would contain those resolutions. I havent thought of the best way for that, but it isnt complicated.
If we are talking about libraries, well, I think the concept discussed above can be extended.
I mean, in my idea, you would have to manage conflicts, that only happen if you have multiple versions of the same library.
Say ldconfig descends /whatever/lib/ and is putting links in /apps/lib and finds two versions of lib libsomething.so.4.1, It would generate a warning and depending of configuration, abort and wait for the user to solve the conflict, or just choose the first one or whatever.
Well, if this happens, you most likely are a developer, and must know how to solve the conflict. Normal users dont have two versions of the same library.
But why would you put the same library twice under the same path that ldconfig would descend to? If could just put the library somewhere else, say /opt/cvs/lib/{whatever} and make ldconfig descend it and put links in /opt/lib
and in ld.conf.so you would put the /opt/lib higher than /apps/lib.
Come to think about it, it would be exacly the same with binaries.
Any comments?

ESP Package Manager Write-up

[lpq]

Might want to check out the ESP Package Manager. It seems to be able to generate output for multiple 'single package systems'. I just stumbled onto it while looking for more info on packing options. Haven't used it but it does make for a good/polished presentation...If the software is half as good...:-)

-l

Re:Binary packages: Security suicide

[UnixRevolution]

It could be the P1 and Pentium Pro. Pentium Pros came in up to 200MHz, and original pentium topped out at 233.

Re:Binary packages: Security suicide

[Crazy+Eight]

Don't forget to write your own assembler first using "echo 'crazy_acsii_codes' > hand_made_binary".

He doesn't even have his facts straight

[srussell]

I can't (or won't) comment on his mistakes with other file formats, but he's apparently pretty ignorant about .tgz.

First off, the entire "metadata" section is FUBAR. tgz isn't a package management system; it is a packaging system. Something like portage is needed on top of it; comparing tgz to rpm is like comparing yaml to jabber. Therefore, entire sections in this "comparison" should be marked N/A, not "no".

What this with "documentation file specially marked?" tar tzf | grep. Duh.

Oh, and tgz files are indeed recognized by file.