Slashdot Mirror
Debian 3.0r2 Released
FrankoBoy writes "As announced on DistroWatch, Debian 3.0r2 has been released this weekend, with some security issues fixed... and Rock 'n Diamonds dropped because of license problems. Here's the official announcement. This release had been slowed by an attack on Debian boxes discussed Friday."
meeples. yeah.
Even when the story was in the mysterious future.
Somebody knows what were the issues with rocks'n'diamons?
Make even shorter URLs - 8LN.org
THERe I sauid it, mnonnon has not onoww11
Slackware > Y00r distruibiton.
The classic essay on "worse is better" is either misunderstood
...was described as a Slashdot Article.
ownz yo' ass!
Does it include rootkits installed by the people that hacked all their distro servers the other day?
Christ, Microsoft's security servers have never been r00ted, yet Linux is supposedly more secure? LOLz!
debian rocks. i can't think of any other linux distro that has been around so long and consistently delivered a great base install and the ability to easily update the entire system. i know a lot of people like to complain about how behind the times debian always is, but this is only done to ensure that each release is as stable and bug-free as possible. the debian developers should be commended for all of their hard work that they've put in over the years, especially in the face of adversity such as the recent security breach.
Disclaimer : Don't get me wrong, I love deiban, I use it on my Apple macs all the time, a user since Potato in 2000.
That we can get some uptodate software in Debian. Even Unstable is out of date. For example, Gnome 2.2, SodiPodi 0.31, OpenOffice 1.0 are still in Debian unstable even though their new versions have been out for MONTHS. Hopefully Debian will get some new maintainers soon.
Way to go guys :-)
:-)
This is the first-ever Debian I'm going to download and try out. I figure I ought to be able to get to know it as well as I know RH before the RHN support is switched off next year.
It's not that I've decided to ditch RH - I may just cough up for the new RH packages, but I'd like to know what my options are
Simon
Physicists get Hadrons!
Gentoo Linux is an interesting new distribution with some great features. Unfortunately, it has attracted a large number of clueless wannabes who absolutely MUST advocate Gentoo at every opportunity. Let's look at the language of these zealots, and find out what it really means...
Gentoo makes me so much more productive.
Although I can't use the box at the moment because it's compiling something, as it will be for the next five days, it gives me more time to check out the latest USE flags and potentially unstable optimisation settings.
Gentoo is more in the spirit of open source!
Apart from Hello World in Pascal at school, I've never written a single program in my life or contributed to an open source project, yet staring at endless streams of GCC output whizzing by somehow helps me contribute to international freedom.
I use Gentoo because it's more like the BSDs.
Last month I tried to install FreeBSD on a well-supported machine, but the text-based installer scared me off. I've never used a BSD, but the guys on Slashdot say that it's l33t though, so surely I must be for using Gentoo.
Heh, my system is soooo much faster after installing Gentoo.
I've spent hours recompiling Fetchmail, X-Chat, gEdit and thousands of other programs which spend 99% of their time waiting for user input. Even though only the kernel and glibc make a significant difference with optimisations, and RPMs and .debs can be rebuilt with
a handful of commands, my box MUST be faster. It's nothing to do with
the fact that I've disabled all startup services and I'm running
BlackBox instead of GNOME or KDE.
...my overclocked AMD eMachines box from PC World, and apart from the third-grade made-to-break components and dodgy fan...
You Red Hat guys must get sick of dependency hell...
I'm too stupid to understand that circular dependencies can be resolved by specifying BOTH .rpms together on the command line, and that
problems hardly ever occur if one uses proper Red Hat packages instead
of mixing SuSE, Mandrake and Joe's Linux packages together (which the
system wasn't designed for).
All the other distros are soooo out of date.
Constantly upgrading to the latest bleeding-edge untested software makes me more productive. Never mind the extensive testing and patching that Debian and Red Hat perform on their packages; I've just emerged the latest GNOME beta snapshot and compiled with -09 -fomit-instructions, and it only crashes once every few hours.
Let's face it, Gentoo is the future.
OK, so no serious business is going to even consider Gentoo in the near future, and even with proper support and QA in place, it'll still eat up far too much of a company's valuable time. But this guy I met on #animepr0n is now using it, so it must be growing!
Hallalujuah!!!!
What a shame, I orginally found that game on Mandrake 8.1, Its really quite good. Even if its going away, there is still gnome stones which is is similar. Find it in the gnome games pack. While I don't use debian, its quite a shame that Debian seems to be removing this game. Apt-get (or urpmi it if you use mandrake) it while you can!
The hack attack from last week (as cited in the write-up) could have grave effects on Linux servers worldwide if you don't check the MD5 sumations against your downloaded packages.
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
Why are they releasing 3.0r2 now? Aren't they going to release 3.1 on December 1st? Has sarge been set back?
apt-get update
apt-get upgrade
Long live Schrodinger's cat...
http://www.wiggy.net/debian/
I guess the sereve's slashdotted, so what do they mena by liscense issues? Is it no longer free enough or what? I thought that vrms was supposed to do that for people that want it instead of removing packages entirely. This sort of stuff is my major problem with debian. I don't like being limited by politics.
Is a hoard of Debian Zealots trying to convince you to switch. I'm here to pre-empt them.
/lib/modules, as you are going to need it.
First of all, Debian has the most out of date software packages of any major mainstream distros. Even in the unstable version, is KDE 2.2 and Gnome 2.0, with Xfree86 4.1 (A version that really sucks).
Secondly, its a pain in the goatse to set up, first of all, you are forced to use Kernel 2.2, which is horribly hacked with "backports" to get any use on any modern machine (Read, made after 1999). Good luck memorizing all the *.ko files in
Configuring XFree86 is hell! If you don't have a Thick X11 orilley book, and a list of your horizontal sync values from your monitor's intruction manual (if you even have one), BOOM! There goes your monitor.
Even then, good luck getting anything over 640x480@16 colours.
The most common response to help questions on the Debian mailing list is "n00b, READ THE FUCKING MANUAL, you idiot, go back to WINDOWS XP if you can't learn to use dselect", true too, search the archives if you think I'm lying. Other distros give you comprehensive PRINTED MANUALS, PHONE SUPPPORT and/or freindly forums where repling RTFM gets you banned!
Debian has ZERO support for any decent hardware, including USB mice, scanners, Sound cards, heck even Serial devices struggle. If you can even get 80x25 text mode with PS/2 input devices you are really lucky. With Mandrake 9.2, i can just plug in my Digital camera, and a Icon appears on my desktop, it just works. With Debian, i would have to recompile my kernel, mount the device using a obscure usb module, and even then, there is no guareentee that an icon will appear on my desktop, I will have to mount it from the command line.
Apt-get has many flaws. First of all it uses a non standard package format (the rest of the world uses RPM, deprecate the DEB format!), has broken respetories, and out of date software to install.
And if you think I'm joking about this, find out why THOUSANDS of Debian users are switching to REAL distributions Debian is falling to pieces, if it is to survive any market share it will be through its superior forks (Xandros, Lindows, K/G-noppix) and unoffical package respetories.
Don't get me wrong, I love Linux, and I'm happily using distros such as Mandrake, SuSE, Gentoo and Fedora. But I'm sick to death of zealots that push obsolete Distros on me EVERY FREAKING TIME A DISTRO is reviewed. I'm speaking from real world experiance here, My Old packard bell monitor caught fire because of Debian!.
P.S (This is not a troll, its insightful flamebait!)
This is something that most users do not do.
if you do not know how to do it, simply use the md5sums program on the files you download and compare the output to those given by Debian members
Thank you for your support.
Is this truly the only Earth I can live on?
was caused by this... This release had been slowed by an attack on Debian boxes discussed Friday.
just some info for those playing at home.
Manipulate the moderator system! Mod someone as "overrated" today.
There are security vulnerabilities in mah-jong.
I must say, those folks at Debian really do there jobs. I personally can't stand using Debian, it just doesn't agree with me, but if I ever need a damn stable server, I'm glad there are people out there looking at the security of mah-jong.
From the Debian 3.0r2 Changelog:
"Rocks-N-Diamonds contains sound, graphics and level data which
violate section 2.3 of the Debian policy manual. Some of the
game content originates with commercial sources that have not
provided explicit permission for their reuse."
BTW, aspell was also removed due to license reasons.
was caused by this... This release had been slowed by an attack on Debian boxes discussed Friday.
just some info for those playing at home.
Manipulate the moderator system! Mod someone as "overrated" today.
aspell - license problems
cyrus-sasl2 - minor security and other problems
micq - license problems
rocks-n-diamonds - license problems
tmda - unusable
SCO will be furious cause they forgot
Linux Kernel - license problems
thats so true.
what was the last RedHat distro to ship with a 2.2 kernel by default?
We should be able to take that one down as well.
Help fight continental drift.
Forgive my ignorance but I have a curious question about debian.. is there an unstable distro of debian out there (iso) that has all the latest packages like gnome 2.4.1, kde 3.1.x, etc. It would be nice to have a weekly iso with all the up to date packages.
-----
"I cant teach..... Im a Professor!"
Are you UNCIRCUMCISED?
Then you should FEEL dirty and ASHAMED! How can you have that aardvark hanging between your filthy puke inducing crotch when there is a treatment for the UGLY DICK condition? That's right, as a Linux chick I can't count the many times I've encountered this DIGUSTING problem.
Linux Guys are VERY GROSSLY uncircumcised do to the fact that the leaders of this movement are not. Linus "long foreskin" Torvalds and Alan "uncut" Cox are PRIME examples of ugly SMELLY SMEGMA dick. I suggest that we take up a collection and CIRCUMCISE these guys.
Until this is done, I'll only use GPL software from properly circumcised and beautiful cocked men like RMS. So NO Linux kernel for this HOT GPL chick..only the HURD until these filthy uncircumcised Linux guys get the operation and become clean.
I wonder if they have updated XFree86 since 3.0r1?
Choice: Debian 3.0r1 stable with XFree86 4.1.0 or RedHat 9 stable with 4.3.0 - ooh it's so hard to choose... NOT!!!
There was no reason to moderate this post down.
The fact is that Debian *was* comprimised, and unless you are a zealot who thinks that Linux is unhackable and you can blindly trust these packages, you should be checking their MD5's.
He wasn't suggesting that you don't use Debian or don't use Linux, he was just merely providing some common sense advice.
I would suggest following the instructions on the debian/kde wiki for installing 3.1.X on Sid -- you have to install one package manually and then the rest go like clockwork.
501 Not Implemented
no yuo!
The other nice thing about Knoppix is that it is very easy to try out, and it also makes for a very painless Debian installer. I use it all the time to install Debian Unstable onto x86 desktop machines (see knoppix-installer in /usr/local/bin). I've been a Debian Developer for several years now, and I've pretty much switched over to using Knoppix for all my installation needs.
I hadn't realized how incredibly limiting some distros were until I decided to install Fedora on a friend's box. Comfortable with Debian, and knowing about Fedora's apt wannabe yum, I figured installing packages would be sinch. wrong.
Let me clearify installing a package in Fedora via yum is identical to apt-get, but the range of packages is very different. Quickly I realized everyone using the large commercial Linux's are stuck with a very small repository of software.
I really took for granted how great apt-get(ing) all my software really is. Before a few days ago I never would have imagined that to install something has common as Mozilla-Firebird I'd have to go and find some website that offered an rpm, which made me incredibly nervous (one thing about rpm's I did remember was mixing them can cause a lot of dependency issues).
Say what you must about Debian, but you can't ignore that it has one of the slickist methods of installing software and updating the system, furthermore, as all the software comes from a trusted repository I know it's most likely going to work perfectly with all my other packages.
transmission_err
Aspell is GNU software, available from ftp.gnu.org, and licensed under the LGPL. Is LGPL no longer free enough? Or is this about the use of the GFDL for some of the documentation?
In any case, removing important GNU software seems a bit over the top.
Help test apt-secure.
Belief is the currency of delusion.
In reponse to "DOH!! correction"
No, the release was not delayed so that security fixes could be put in it. The release was delayed, but the security fixes in it, are not related to the cracking of the Debian file servers. Some rumors say the reason was password compromise, but I still don't know for sure what the reason was.
Anyway, the delay was that when you get your file servers cracked, its should be your first priority. They had the release ready before they were cracked.
Click to get more (recent) information about the crack/compromise.
/Spam .
apt-get is telling me to update about a dozen packages, most of which are listed on the update page. Two of the packages apt-get wants me to upgrade---bsdutils and mount---aren't in the list. Anybody know what the deal is?
I guest I'm just a little skittish because of the whole compromise thing.
My Web Page
Last year the big thing was Gnone 2 the year before that was the arrival of better GUI distro installers I have yet to find anything that I am excited about this year. And don't give me Kernel 2.6 - I have been running it since test 2 and stay current weekly, I don't see any drastic (if any) desktop improvements. What are people getting excite nowadays about?
I thought the same thing that you did -- Redhat terminating support for RHL meant that I should get to know another Linux distribution, and Debian seemed popular, so I tried Debian Woody on my new desktop box...for about two days.
The problem is, by all objective standards, Woody is significantly behind Redhat, SuSE, Mandrake and Yellow Dog (all distributions that I've used extensively) in terms of usability. As others will attest, it's often a nightmare to get Woody installed and configured on a machine where Redhat or Mandrake will Just Work (tm). In many ways, using Debian felt like I was using Slackware circa 1998. Too much reinvention of the same old wheels. And don't even get me started on the documentation or community support -- I'm a very technically adept guy (I've been using Linux since 1995), and I find the technical support attitude that surrounds Debian to be...well, elitist, to say the least.
That said, this is a new release, so maybe things have changed completely. But if you're like me, and you have to get work done that doesn't involve futzing with config files and kernel modules, be very wary of Debian. (Not incidentally, Fedora is a very nice distribution, and it supports apt too....)
Let's try not to let fact interfere with our speculation here, OK?
As mentioned in order comment Wichert Akkerman has setup a page explaining the current situation at http://www.wiggy.net/debian/
Notice that you will not find a note in the www.debian.org web server since until all the servers are being restored and are back online a public note (giving more details than the previous announcement) is being postponed. Also, the infraestructure used to build up the web site (english + all the translations) is part of the compromised servers.
Is it possible to run a desktop Debian system using Gnome 2.4 and other more recent packages(openoffice 1.1, mozilla 1.4, samba 3) without having to track unstable?
First, look e.g. tob inar y-i386/Packagese : 31466
e ase
s e.gp g and viala, you know it come from a debian server.
ftp://ftp.debian.org/debian/dists/woody/main/
There you find the packages in main for i386, each
with a md5sum, e.g:
Package: 3dchess
[...]
Filename: pool/main/3/3dchess/3dchess_0.8.1-9_i386.deb
Siz
MD5sum: 03cdc2c944551aa3ecdd0d3979071e77
[...]
With that you can check the file itself. But how do you know this md5sum is correct? for that you look into
ftp://ftp.debian.org/debian/dists/woody/Rel
and see size and md5sum of main/binary-i386/Packages
But why is this file correct? For that you look at
ftp://ftp.debian.org/debian/dists/woody/Relea
It's a pity a standard apt does not handle this. But apt was a step backward for many nice things within Debian...
And while you're at it, be sure to check out <insert favorite distro here>.
I've settled on Gentoo as my distro of choice...while it not be as stable as the release versions of Debian..that's only because Debian takes forever (for good reason!).
But portage is truly a thing of beauty.
But not to turn this into a Gentoo advertisment, way to go Debian!
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
7.0.
Forgive my ignorance. I am new to Debian, having just been spurned by the people at Red Hat.
I see what you're saying, and while I would be happy with Jigdo, I would think that Debian and the mirrors would rather we use BitTorrent. It saves them bandwidth, and I get my ISO's without further fuss.
But I do what you're talking about now. Jigdo does seem very nice.
Is this truly the only Earth I can live on?
Said he's got a "cash flow" problem and needs it "like yesterday".
Promised the license "soon".
of course! that is one thing we will always be looking forward to!
> "I allege that SCO is full of it" -Linus
I switched to Debian several years ago after reading a Slashdot article announcing a new Debian release. I had already moved from Slackware to RedHat before that, and was never really impressed with the latter. I fell in love with Debian right away, and was always impressed with the project's desire to do things right.
;-)
Debian has its own ways of doing things, and as with any other distribution, you will be more productive if you learn and conform to these conventions rather than fighting them.
I wonder how many people will give Debian a try after reading this article. Hopefully those who do will find the experience as rewarding as I have
And it's been a joy. D.E. agnostic, it actually lets you package/install or source/compile what you damn please, with none of that crappy SuSE YAST2 uber-automation-9GB-/ absurdity, or Disappearing-RH-distro-commercialism.
If ya like hands-on Linux but want software from this century it's Slackware all the way. (Just don't go into alt.os.linux.slackware. It's brutal in there.)
Not to sound like a troll, but I think Debian is finished for the non-hacker/hobbyist and here is why.
* Debian has gone from being overcautious to out of date. 3.x is still on the 2.2 kernel by default. Other distros are on 2.4 and looking to 2.6 already. The packages have the same problem.
* I hate to mention it, but I have too. The installer sucks. No business is going to roll out a distro as complex and time consuming as Debian's install.
* Appearance. Suse / Red Hat look more like professional distros from start to finish.
Actually, it ships with a number of different 2.4 kernels also. If you do nothing but keep hitting the enter key, you will get the most conservative install possible (with a 2.2 kernel). If you read a paragraph or two of documentation or the install help screen, it will tell you how to select a kenel. Also, the different CDs in the set are all bootable, and use different kenels to start the install if you want to do it that way. If all else fails, and you install a 2.2 kernel, type apt-get install kernel-image-# and you should be ready to go.
# vi /etc/apt/apt.conf
APT::Default-Release "unstable";
APT::Cache-Limit 10000000; Apt::Get::Purge;
# apt-get update
# apt-get dist-upgrade
Hope this helps. If you don't quite want the cutting-edge-ness of unstable, use "testing" as the default release.
C'mon moderators, I thought AC's comment about the Slashdotting of the Debian server being the second attack was rather witty.
(nt)
packages.debian.org is down just now, but X 4.3 is available there. You'll need to add it to your /etc/apt/sources.list
http://packages.debian.org/experimental/
You might even find a woody backport by performing a search on apt-get.org
Good luck
the 'unstable' 'stable' and 'testing'
names are symlinks for one of the named
debian distributions.
woody is currently the stable version.
the stable version which will usually have
slightly older software, but because it's been
tested for a much longer time
it's better to use on business servers.
sarge is currently the testing version.
it should probably be for workstation/home use.
the packages are newer, but not as bug-free.
while it could be used in a production environment,
stable will always be a safer bet.
as the stable version, woody gets mainly
security updates. at some point, sarge
will become well testing enough that
woody will be retired (like 'potato' before it),
and sarge will become the current stable branch.
a new fork will be created at that point,
and become the new testing version.
'sid' will always be the unstable branch of
debian. you don't want to use 'unstable'.
it will almost always have the newest
software versions, but they will probably
break your system. if you see something you
like, download it singly, don't install
sarge to get it.
in short...
get sarge/testing to try out debian.
if there's problems, or you want older
more tested software, get woody/stable.
if all you want is problems,
for your own mind to solve,
get sid/unstable.
ARgghhh they removed... oohhh hold on... *snigger* i dont use the debian sources for this :)
:)
deb http://www.micq.org/deb/ stable main
Also i do update my install every now and then. But, whats the point of calling it "r2" if most of the stuff or a lot of it has already been released?
Just a chance for a cool release? Sweet
Giving IE users a taste of their own medicine since 2005 - http://pods.-is-a-geek.net/
You delayed r2 because of the compromise, release it delayed anyway and _STILL_ haven't bring up packages.debian.org, people.debian.org, etc
Nice of Slashdot to put the rocks and diamonds unreachable link too!
Open Source Java Web Forum with LDAP authentication
Finally find a good deb source for Gnome 2.4
That would be in unstable; GNOME 2.4 has been there for at least a month.
Jay (=
...is deborphan.
If you install an application that requires a few new libraries, removing the package doesn't always get rid of the library. Deborphan helps you find libraries that have no applications listed as dependancies; a simple
for x in `deborphan`; do dpkg -P $x; done (note backticks)
as root should do the trick.
Sure, most of the security updates are available on security.debian.org - but now they will be in the main distro, so if you want to make ISOs they will be included...
I've been using Debain for about six months now on my desktop PC, with almost no complaints. From an admin perspective, apt is great. One problem I've had, though, is that it's not very dialup friendly, and unfortunately due to various circumstances at the moment I'm stuck with a 56k connection.
I'm not referring the sizes of packages being downloaded. That's always going to be an issue with a dialup connection but I can at least make special allowances for when I want to grab something big.
The bigger problem for me is simply updating the apt-get package lists. Any time that I want to update, even if it's only to check for new packages and grab one or two, I have to wait for at least 3 MB of downloads simply to get the new package lists. In my case it's between 5 and 6 MB because I'm running a combination of testing and unstable.
A great improvement to apt from my perspective would be for it to handle diffs. If diffs of the packages could be stored on the servers so that apt could download the correct diff if it were available, even if it were just for the previous week or so, it'd save me lots much time in waiting for downloads.
Has anyone else noticed or had a problem with this? Maybe I'm missing an easy way out.
It appears that you have an inability to shut the hell up when the grownups are talking about real distributions. While we understand that you are a Gentoy user, and therefore have obvious and well recognised mental problems to desl with, we must insist that you keep your hands away from the keyboard and stop plugging your BESTAST EVAR DISTROO!!!11 in an inapropriate forum.
Yours,
Everyone who doesn't give a damn about Gentoy.
1. ' /usr/local/bin/knx-hdinstall ' is still there, but has been superseded by ' /usr/sbin/knoppix-installer '.
2. It's all over the help forums that you should NOT do a dist-upgrade, only do apt-get upgrade. Knoppix is already testing/unstable - do a dist-upgrade and you go all the way *unstable.*
3. > Knoppix is great as a static system, that's what it was designed for.
--I've benn using Knoppix installed to HD on 3 machines for over a year now. Very few problems. (Hey, nothing's PERFECT.) Just use apt-get upgrade and you should be OK.
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
I use Debian, Gentoo and Knoppix when setting up Linux desktops for people. If the person is impatient, I tell them to go with Debian (although using Unstable tends to bring about dependancy issues). If they want the most up to date packages, and don't want to run into dependancy issues, and....don't mind waiting anywhere from 2 mins to 2 hours for something to install, I tell them to go with Gentoo. Knoppix is great for introducing people to Linux. I personally use Gentoo, not because I think it's faster, but because it seems easier to me (weird huh?). Well anyways, you can't help but respect Debian for all that it is.
All hail RMS - fat50 rulez!
The Debian server compromises have had far-reaching consequences, it would appear. I executed my regular 'apt-get upgrade' this morning, and when I looked back I was running {$INSERT_FAVOURITE_NON_DEB_DISTRO}. That should keep the bastards out!
Using stable only it's even simple to keep the system uptodate with apt-get and/or dselect. But problems start when you want to (or have to) use one or two newer packages from testing/unstable.
As a first try you'll add the needed testing lines to sources.list. Bad result: Dselect displays all testing packages with no chance to distinguish between stable and testing. And you can't install a single testing package without upgrading libc and dozens other "dependent" packages to testing (in fact they're working fine with the older libc, you just can't install them. And no, I definitly don't want to use all of testing).
Second try: Reading the apt howto and adding to apt.conf. Dselect stops trying to upgrade all packages, but keeps displaying thousands of packages which are only present in testing and not in stable. And I still can't install a single package from testing because of the dependency issues.
Third try: Using the unofficial backports instead of testing solves the dependency issues. But you still can't distinguish between original stable packages and backported ones.
No, I don't want to use all backported packages. I just want to pick one or two of them using apt-get install [pkg] while keeping apg-get update on using the normal stable distro. Honestly, I've given up, downloaded the packages I need manually and forced them to install with dpkg -i --force. Not really the polite way.
Any clever ideas anyone?
I think we are looking at this all wrong.
./local location information to load the dependent modules - workable with TAR, RPM, and other archival systems.
Instead of trying to keep a centrally maintained package matrix tree, why not shift the burden to the developer (not really a burden, when you consider he is already packaging most of the data needed already under current apt/rpm systems today) via direct filesystem validation?
I would suggest we create a standard that will allow new applications to be added to distributions easily by encoding their own dependencies - but with a twist. This would require the creation of a better mousetrap, in the form of a platform independent standard for passing the dependency information, and a standard means of validating those dependencies in the operating system at the file level (where it must be able to recognize non-standard installations as well as the standard fare - or even recognize when the operating system is damaged - or incompletely installed for that matter, and work around the roadblock). If a developer really wants to make installation easy for his application, he could include all the dependent files so autoloading can be local as needed, otherwise the installation tool would need to have the correct URL to get the version that the developer used in his application (again, both items would be encoded in the standard).
Rather than keeping a central database, a la Microsoft Registry, RPM, etc, *nix systems should look to the file system itself to validate dependencies (I can load an RPM, then go out and remove the files - which will not update the package database, or conversely, the package database can become corrupted - forcing a reload of all non-standard packages; this is the central matrix's Achilles heel and why I believe we must move outside of this paradigm).
A decentralized approach will provide several advantages over current methods:
1. Less overhead at the distribution level. Distributions don't need to keep track of dependencies in an active way - and thus are free to pick and choose what applications are correct for their audiences. If a particular application has a dependency that requires upgrading a library or the kernel beyond what the distribution maintainers are comfortable with - then that can be managed easily (the goal would be to make such management relatively trivial - perhaps allowing the distribution managers to set revision 'stop points' in the interface - such that automated upgrading will not go beyond a certain revision level on specific applications/libraries). Overall, more flexibility for the distribution makers.
2. Since there is no centralized database, there can be no centralized corruption that brings package management to a halt. Any problems that occur along these lines will only effect one application - not the whole system.
3. Will work with any type of archive system; tar, rpm, etc. The system must not preclude or inhibit the use of existing systems if the user so desires.
To make this happen, I would recommend a self 'certification' for applications developed under the standard (similar to other 'compliant' tagging used today). The certification would ensure that application is compliant with the standard. The following items would need to be resolved to accomplish this:
a) A means of allowing multiple versions of libraries and applications to coexist on the platform without creating problems for the operating system must be devised. Perhaps applications could use a unique set of environmental variables to point to the correct version to use.
b) A means of encoding the dependency information and URL or
c) A means of leveraging existing make and config dependency files to automate the creation of the encoded standard file.
This is ultimately the correct approach in my mind, and follows the overriding Unix paradigms more closely than the other methods out there.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain