Building A Better Package Manager

SilentBob4 writes "Adam Doxtater of Mad Penguin has published a preliminary layout for his proposed cross-distribution package manager capable of adding/removing software from any locale. He is suggesting the interface will basically allow for installation of several major package formats including RPM, DEB, TGZ, as well as source code with the ability to pass build time options. All of this will come at the price of standards of course, including naming, documentation, and package structuring. If this idea were to catch on, it would signify a major leap in desktop Linux usability. This might be a project that UserLinux might benefit from. Read the full column here (complete with GUI mockups)."

Autopackage?

[Deraj+DeZine]

So this is a similar effort to Autopackage except that it plans on using the native package formats? Intriguing...

Re:Autopackage?

[pubjames]

So this is a similar effort to Autopackage except that it plans on using the native package formats?

Except that this guy has just stated the idea and made a couple of mock-up screenshots, whereas the autopackage guys are coming up with a complete, sensible solution and are leaving the interface until the end.

Re:Autopackage?

[IamTheRealMike]

By the way, it's funny this should be mentioned now but autopackage.org is in the middle of a DNS repropogation - it was switched to point to sunsite.dk literally hours ago.

For now, if it doesn't work, use autopackage.sunsite.dk and bear with us as we fixup the broken links etc.

Re:Autopackage?

Yeah, KDE is stable as a screenshot. And it's far ahead, because the smell of the sweaty foot that is coming after it is nauseous.

Re:Autopackage?

[Tukla]

Mmm hmm. And, of course, you can document this "method"?

Don't leave out Gentoo!

[bc90021]

I hope they will include Ebuilds as they are a great way to install software, and are becoming more and more popular as Gentoo does.

(No, this isn't a troll, I'd really like to see that. :) )

Re:Don't leave out Gentoo!

I hope they will include Ebuilds as they are a great way to install software, and are becoming more and more popular as Gentoo does.

Jesus Christ, and you wonder why girls run away screaming from you.

Re:Don't leave out Gentoo!

i get a bit fed up with the constant pro-Gentoo advocating on slashdot, but eBuilds do have one thing I praise them for (as a Debian user).

python.

I'm not even sure that you're allowed to do build scripting in Python for debian, but to force gentoo package maintainers to write in proper maintainable language was THE RIGHT THING.

now sod off till you support a few more architectures you little spratling. ;-).

Re:Don't leave out Gentoo!

[paranode]

Fortunately for Gentoo users, we already have support for RPM, DEB, TGZ, and of course source code. I guess all that time compiling was a safe investment! ;)

Re:Don't leave out Gentoo!

[The+Night+Watchman]

My main recommendation for Gentoo...

Let's say I update my portage tree, and then I want to upgrade a package, like GAIM, for instance. GAIM's dependencies are GTK and a bunch of other stuff. When I try to upgrade my version of GAIM and there happens to be a better version of GTK available, Portage will upgrade GTK first, regardless of whether you actually need the very latest GTK to run GAIM. I'd rather see Portage know what the minimum version a dependency has to be in order to get a program running. As far as I know, it'll just upgrade everything in the dep tree.

Unless I'm mistaken, at least. I've been using Gentoo for a while now, and for the most part I just do a "emerge -u world", which takes care of me pretty nicely. It just takes a while.

---

Re:Don't leave out Gentoo!

[bee-yotch]

Ebuild's aren't written in python, they're simple bash scripts. Portage, the system that manages the ebuilds, is written in python, as are eclasses.

I don't really see a point to including ebuild's in this package manager though, as the package manager should already be doing the work of the ebuilds maintain source packages.

Besides, portage will kick this package managers ass anyday. :-)

Re:Don't leave out Gentoo!

[revividus]

constant pro-Gentoo advocating on slashdot

Funny, all I ever see is Gentoo bashing. Are we reading the same sladhdot?

Re:Don't leave out Gentoo!

lol, good one

Re:Don't leave out Gentoo!

Yes, and he will behave as grown up as you, right?

Re:Don't leave out Gentoo!

i stand corrected.
i take it all back.
eeeeeeevil ebuilds.

i was being a bit silly and confused anyway. i meant the infrastructure for packaging. which i think is all perl and occasional c in debian.

Re:Don't leave out Gentoo!

[Valar]

This reminds me of something I read the other day in the gentoo forums: Installing Portage on Other Distros

Re:Don't leave out Gentoo!

[luugi]

I use Gentoo also but I must admit that doing "emerge -u world" scares the crap out of me. I'm always scared to mess up my system. But I've been lucky so far.

Re:Don't leave out Gentoo!

Instead of doing a "emerge -u world" try "emerge world" and you should(not always) see less updates.

# emerge -p world
Calculating world dependencies ...done!
[ebuild U ] sys-apps/man-pages-1.65 [1.64]
[ebuild U ] sys-apps/kbd-1.08-r4 [1.06-r1]
[ebuild U ] sys-devel/binutils-2.14.90.0.7-r4 [2.14.90.0.6-r6]
[ebuild U ] net-mail/postfix-2.0.16-r1 [2.0.11]
[ebuild U ] sys-apps/file-4.06 [4.02]
[ebuild U ] sys-devel/automake-1.7.7 [1.7.5-r2]
[ebuild N ] media-gfx/bootsplash-0.6-r3
[ebuild U ] sys-kernel/genkernel-3.0.1_beta6 [1.8]
[ebuild N ] sys-kernel/gs-sources-2.4.25_pre6
[ebuild N ] sys-apps/module-init-tools-0.9.15_pre4
[ebuild&nb sp; N ] sys-kernel/gentoo-sources-2.4.22-r5
[ebuild N ] dev-lang/python-2.3.3
[ebuild U ] sys-libs/ncurses-5.3-r5 [5.3-r2]
[ebuild U ] sys-devel/m4-1.4-r1 [1.4]
[ebuild U ] sys-apps/coreutils-5.0.91-r4 [5.0-r5]
[ebuild U ] sys-libs/glibc-2.3.2-r9 [2.3.2-r3]

# emerge -up world

These are the packages that I would merge, in order:

Calculating world dependencies ...done!
[ebuild U ] sys-apps/man-pages-1.65 [1.64]
[ebuild U ] sys-devel/gettext-0.12.1 [0.11.5-r1]
[ebuild U ] sys-devel/binutils-2.14.90.0.7-r4 [2.14.90.0.6-r6]
[ebuild N ] sys-kernel/linux-headers-2.4.19-r1
[ebuild U ] sys-libs/glibc-2.3.2-r9 [2.3.2-r3]
[ebuild U ] sys-apps/kbd-1.08-r4 [1.06-r1]
[ebuild U ] dev-libs/openssl-0.9.7c-r1 [0.9.6k]
[ebuild U ] net-mail/postfix-2.0.16-r1 [2.0.11]
[ebuild U ] sys-apps/file-4.06 [4.02]
[ebuild U ] sys-devel/automake-1.7.7 [1.7.5-r2]
[ebuild N ] media-gfx/bootsplash-0.6-r3
[ebuild U ] sys-kernel/genkernel-3.0.1_beta6 [1.8]
[ebuild U ] sys-libs/ncurses-5.3-r5 [5.3-r2]
[ebuild N ] sys-kernel/gs-sources-2.4.25_pre6
[ebuild N ] sys-apps/module-init-tools-0.9.15_pre4
[ebuild&nb sp; N ] sys-kernel/gentoo-sources-2.4.22-r5
[ebuild N ] dev-lang/python-2.3.3
[ebuild U ] sys-devel/m4-1.4-r1 [1.4]
[ebuild U ] sys-apps/coreutils-5.0.91-r4 [5.0-r5]

Re:Don't leave out Gentoo!

[polin8]

"emerge -u gaim" will upgrade its immediate dependencies.

"emerge gaim" will just upgrade to the needed packages, or only gaim.

Re:Don't leave out Gentoo!

Portage already works the way you want. search for DEPEND in any ebuild (there are versioning there).

Re:Don't leave out Gentoo!

[Zebbers]

true it doesn't intelligently or automagically handle that
but gentoo has stated that thier distro is more oriented to the more capable linux types. So if you know gaim doesnt need it. Dont install the deps.

emerge --nodeps gaim

though i totally agree with the spirit of the post and maybe portage will have that capability someday...uneeded upgrades are always risky

Re:Don't leave out Gentoo!

[Nuclear_Loser]

I agree that ebuild are cool, I love my gentoo, but I have to say that it doesn't make sense to use ebuilds accross multiple distributions for 3 reasons.

1. The are still in a state of constant change, no standard except the current state, whatever it may be, to work off. Portage needs to set in stone specifications for ebuilds for major releases that will not change until the next major release. This way the packages themselves could more easily support them.

2. Ebuilds take a lot of developer effort. The portage maintainers have to create all of these ebuilds and supporting multiple distributions which change the layout of their packages could be a nightmare.

3. How often do you emerge rsync? Gentoo is built upon the idea (mostly) of keeping packages fresh and new. Vendors may not want to support "foo-1.3-r15.ebuild", they may want to have releases of a version on their cds, support that, and only update if security flaws are found or if the vendor makes and entirely new release of the distro.

In a bussiness, I might steer clear of a distro like Gentoo, only due to the de facto standard of keeping maintainance on the system. Yes, I know there exists full releases of Gentoo, but really, who keeps purely to the packages in those releases? (and I expect a few hands to raise now, but I refer to those as statisical outliers :)
The first thing most gentoo users do when installing is sync to get the newest packages, nothing like a bleeding edge system to play with.

Cheers.

Re:Don't leave out Gentoo!

[daserver]

That is because you use the -u flag. If you leave that out it will only update gaim or whatever you were updating.

Re:Don't leave out Gentoo!

[BigJimSlade]

"emerge -u gaim" will upgrade its immediate dependencies.

"emerge gaim" will just upgrade to the needed packages, or only gaim.

Mod up parent please! I don't have any mod points and this concisely explains how portage works.

Re:Don't leave out Gentoo!

[Exxxodus]

If I not mistaken emerge gaim will only emerge gaim and not it's dependencies. emerge -u gaim will emerge and update all of gaim's dependencies and gaim.

Re:Don't leave out Gentoo!

[Jerf]

When I try to upgrade my version of GAIM and there happens to be a better version of GTK available, Portage will upgrade GTK first, regardless of whether you actually need the very latest GTK to run GAIM. I'd rather see Portage know what the minimum version a dependency has to be in order to get a program running. As far as I know, it'll just upgrade everything in the dep tree.

Basically, this is wrong. Sorry. ;-)

The "-u" parameter to emerge will make it work as you described. However, if you just typed "emerge gaim", it would only emerge the minimum required. You have to ask for the "emerge all depencies, too" behavior.

I quite frequently emerge -up world, then just pick and choose what I want updated.

(I just checked "emerge -p world" against "emerge -up world", and "emerge -up" did significantly more packages on my system, where over 100 packages can be updated. On Gentoo, IIRC, the "world" is the list of things that you explicitly emerged; "emerge mozilla" will put mozilla in the "world" list but not any of its dependencies. So "emerge world" can update the packages you cared enough about to explicitly ask for them, and -u will add all possible dependency update.)

Re:Don't leave out Gentoo!

[Nuclear_Loser]

I also have sex with farm animals

Re:Don't leave out Gentoo!

[jimmy_dean]

I've been doing an emerge -u world for about 2 years now and have never ever had a problem. Gentoo's install system is the most reliable/hands off system I've ever come across (though debian's is pretty darn good too).

Re:Don't leave out Gentoo!

[The+Night+Watchman]

I use Gentoo also but I must admit that doing "emerge -u world" scares the crap out of me. I'm always scared to mess up my system. But I've been lucky so far.

I can certainly relate, but so far, I haven't had any emerge world trouble on any of the Gentoo machines I've set up. Occasionally it'll fail and you'll have to wait for another portage tree to fix the problem, or you've got to go in and tweak something, but I've found the online message board to be extremely helpful in troubleshooting things like that.

I'm more worried when I have to go and merge in all of those configuration files. I tend to worry that I'm going to overwrite my nicely-configured config files with the bland default ones. That happened to my fstab once. It was painful. But I'm a better man for it now, and I know to be a bit more careful.

---

Re:Don't leave out Gentoo!

[Al+Al+Cool+J]

once you're old enough to shave and start using real UNIXes you will realize what a waste of time all that compiling and over-optimizing is.

If you just stare at the screen and watch the code compile, then yes, that would be a waste of time. Most Gentoo user though are smart enough to know how to multitask. While program foo is compiling, you do something else, either on the computer, or (and here's the really shocking bit) away from the computer.

So with that in mind, please explain to me how typing

emerge foo

is in any way a waste of my time?

Re:Don't leave out Gentoo!

[The+Night+Watchman]

Thanks!

That's something I suppose I should have been able to figure out. I guess I'm getting rusty in my old age :) Or maybe I just need to read the fscking manual...

---

Re:Don't leave out Gentoo!

I didn't say a waste of YOUR time. Maybe I ment a waste of processor time? If you're doing an 'emerge world' or whatever on your production server, don't you think those processor cycles used for your stupid -fomit -o3 -pipe -whatever flags could be used to improve database queries? Or all the extra hard disk thrashing while shit compiles in the background makes your game of Unreal Tournament nice and jerky and you ping out and get fragged? If you want to sit there and stuggle to even make basic USE of your Gentoy box while you watch your gcc diarrhea screensaver, then have fun, I'd rather be productive.

Re:Don't leave out Gentoo!

While I agree that any step away from the primeval ooze of C is a good one, frankly who cares?

Having a hardon for the fact some random tool is written in Python is worse than being a gentoo-boi.

Re:Don't leave out Gentoo!

eclasses are written in shell as well.

Re:Don't leave out Gentoo!

I just installed Gentoo and I love it
emerge life

Re:Don't leave out Gentoo!

[MightyMike]

So playing unreal tournament is being productive...

damn, all those wasted years...

Re:Don't leave out Gentoo!

[Jheaden]

While this doesn't help at the moment, there are plans to setup an "enterprise" gentoo where packages won't change so frequently. It was mentioned in the weekly news letter here

A quote from the letter:

The meeting held on the 26th was opened with Kurt Lieber announcing a plan to develop an enterprise-friendly version of Gentoo. Gentoo Enterprise would be extremely stable, with quarterly sets of release ebuilds guaranteed to persist for at least a year. There was then some discussion on whether to have a separate Gentoo Enterprise tree or to have a Portage keyword; Kurt will be writing a GLEP to tackle these and other issues soon. Once the floor was opened, developers brouhgt up several ideas. First, Brian Jackson suggested "server metapackages" - these would be like the KDE and GNOME metapackages - "emerge vmail", for example, would create an already-configured virtual mail system. Next, more discussion about a separate tree for Gentoo Server, including ideas about using webrsync to get past paranoid corporate firewalls, using xdelta, and implementing a kickstart-like installation tool, took place.

Re:Don't leave out Gentoo!

[V.P.]

I've been doing an emerge -u world for about 2 years now and have never ever had a problem.

Two years huh? How's the good ol' 386SX going?

Re:Don't leave out Gentoo!

[EzInKy]

I use Gentoo also but I must admit that doing "emerge -u world" scares the crap out of me. I'm always scared to mess up my system. But I've been lucky so far.

I have "ACCEPT_KEYWORDS=~x86" in my make.conf and emerge everything with -UuD and experience few if any more problems than when I was running Debian unstable/experimental.

Re:Don't leave out Gentoo!

[bc90021]

Actually, there's one that doesn't, and I'm guessing that that's one more than you can brag about. :P

Re:Don't leave out Gentoo!

why? because you have got her tied up in the basement? ;)

Re:Don't leave out Gentoo!

[Tony+Hoyle]

Last time I tried that id upgraded glibc, screwed it up and I had to fdisk/reinstall to get the damned system back.

My major gripe with portage is it doesn't record USE flags - eg. if you install links with 'USE=-X' to avoid its dependency on XFree (which moron decided that one???) then then next time *anything* decided to upgrade links it'll rebuild all the X dependencies back in.

That's a real pain when you're talking about things like the java depedency to libdb for example, which doesn't actually work...

Re:Don't leave out Gentoo!

[Wiz]

emerge DOES NOT update your system config files for you though!

It is "etc-update" which does this, and it will ask you if you want to overwrite each file if necessary. You can even do a side-by-side merge of the new and old files if you are worried.

Re:Don't leave out Gentoo!

[Chris_Mir]

The number of packages will probably even be longer when you use emerge -upD world, where the D stands for deep. It will not only look for the first line of dependencies, also for updates on the dependencies of these dependencies. And the on the dependencies of the .... ah well, you catch my drift ;)

Re:Don't leave out Gentoo!

[E_elven]

Anyone doing an 'emerge world' on a production server is an idiot or possibly even a Windows admin.

The proper way to do things like this, if you must, to a production server is to have a similar machine that you can compile on, and then just transfer the binary over.

Re:Don't leave out Gentoo!

[Dausha]

I'm more worried when I have to go and merge in all of those configuration files.

Well, then perhaps it is time to use CVS to keep a backup of your configuration files? I've run into this problem as well, and found this to be a comfortable solution. No more worries if I clobber a config file.

Or, if you are using etc-update, don't forget the -3 option

Re:Don't leave out Gentoo!

[Al+Al+Cool+J]

Well yes, if you do stupid things, then bad stuff can happen. So don't do stupid things!

Only an idiot would emerge world a live production server, and whenever I want to do something cpu-intensive while doing an emerge, then I just suspend the emerge until I'm done. Beside, I don't sit at my computer 24-7, and am quite happy to have it do most of the compiling when I'm not there.

I've run mandrake, suse, redhat, slack, and debian, and was never really happy with my computer set up until I got gentoo. But that's me. I'm not saying it's for everyone (just the smart ones :-)

Re:Don't leave out Gentoo!

[opello]

--nodeps (-O short option)
Merge specified packages, but don't merge any dependencies.
Note that the build may fail if deps aren't satisfied.

from emerge --help

I've also been using gentoo for a while now, and reading the documentation (as with anything else) can stop misconceptions from happening, and make the experience better all around

Re:Don't leave out Gentoo!

[zhenlin]

eclasses, like ebuilds, are written in bash.

Mnyah!

[American+AC+in+Paris]

Bah, you kids, always inventing your own names for things!

When I was your age, we called 'em by their proper name--athletic supporters!

"Package manager", indeed...

Re:Mnyah!

sooo that would make diapers into "windows managers" ??

Re:Mnyah!

I was thinking bra, or for men, the Brossiere..

They have it.

It's called pkgsrc.

Re:They have it.

If you had read the article, you would have seen that this was for Linux. Go grind your BSD axe somewhere else.

Re:They have it.

If you had bother to look into pkgsrc, you would have saw it works on nearly any UNIX OS including Linux and BSD.

Again?

[avalys]

This topic comes up how often? Like twice a year?

And yet nothing ever changes.

Re:Again?

This topic comes up how often? Like twice a year?

And yet nothing ever changes.

Re:Again?

Its because people constantly whinge about how hard it is to install Linux, then apps under Linux.

Some people won't be happy until you just have to think about what you want installed to get the data onto your harddisk.

Re:Again?

[Deraj+DeZine]

What are you talking about? These mockups are clearly slightly different from past years! Perhaps no code has been written, but everyone knows that impressive mockups are the key to building successful open source software with your newly-created SourceForget account.

Re:Again?

[pyros]

And yet nothing ever changes.

Not true. Red Hat's up2date supports apt repositories and the dpkg format is getting GPG signature/hash checking. From discussion late in the Fedora Core 1 beta stage it seemed that there is internal pressue to include apt in the core distro at Red Hat. Those are big changes, I think. I stopped reading the article since it's getting slashdotted, but it the author[s] can implement a single database that tracks installation by RPM, deb, and tgz, then I'd wager those features will be added to RPM and dpkg down the line. I honestly can't see either Debian or RedHat jumping ship to a new system, but they both borrow features from each other, so why not from this too?

Re:Again?

So it's a dupe article?

Re:Again?

[rsax]

the dpkg format is getting GPG signature/hash checking

Do you have any more information regarding that? Everytime I've asked on #debian I get very vague answers. Usually the argument is that all the package maintainers and contributors would need to send in their keys and sign all of the packages they contribute which would require a lot of effort. Given the recent security issues with trojans I think that this would be well worth the effort.

Re:Again?

[bangular]

But what we need is one package format that everyone can use. RPM's are a pain in the ass to put onto a distribution that wasn't built from the ground up from RPM's. They have almost no standard naming system for packages. They have to be linked against the exact same minor version of libs once they are installed. RPM's should be dumped. Deb's and Tgz's have the same problem. We need a fresh package format that, instead of keeping a database of installed packages, uses a ./configure/autoconf like script to actually check for what's installed. Also, it needs NOT to use M4! It needs to be able to link against at least all minor versions it was linked against (maybe produce a warning to tell you).


These little things would take care of all the major issues with RPM/Deb/Tgz packages. A measure of backward compatability might be nice, but in all honesty, we are only inches further with binary package formats than we were 10 years ago!!!!

Re:Again?

[pyros]

The last time there was a big discussion on package formats, probably when the Debian servers were cracked there were a few links to a couple of projects. Like dpkg-gpg or dpkg-secure, or apt-secure, stuff like that. It was all stuff off individual developer pages, but they were all official debian developers. Here's one link I found: http://monk.debian.net/apt-secure/

Re:Again?

[tiger99]

I hardly think Fedora Core 1 can be held up as a shining example of how to do anything. It is the most badly broken distro I have seen in years, complete with an update system that is based on the vile RPM, with some HUGE binaries. Most of the world is still on dial-up at 56k or less, most ISPs in the world have a 2-hour timeout (or less), and there is no way of resuming an attempted update when it times out. In short, it does not work. I wasted several weeks on Fedora, half of the configuration utilities one expects in a modern distro were not there. It went to /dev/null where it belongs, in the end.

The only sensible way to work is with source patching, it is far easier to download smallish source patches and compile in situ than to solve the stupid issues of large binary downloads. Most end users would neither know nor care how it worked, as long as it worked. Most PCs are more than capable of supporting the C compiler, or whatever is needed in each case. A source patching system can be made to work transparently to the user, anything involving excessively large downloads can not be made to work. It is as simple as that.

This issue is one of the few serious problems that are hindering the uptake of Linux on the desktop. The other major one I have already referred to, badly broken configuration utilities. It may seem a boring issue, but it deserves the full attention of the best programmers out there, and for that matter the best user interface experts. Get it right, i.e. better than the efforts of the Convicted Monopolist, and we will see Linux on most desktops. Continue to get it wrong, and the Convicted Monopolist will remain exactly that, with the desktop monopoly remaining for ever.

Re:Again?

[pyros]

But what we need is one package format that everyone can use. RPM's are a pain in the ass to put onto a distribution that wasn't built from the ground up from RPM's. They have almost no standard naming system for packages. They have to be linked against the exact same minor version of libs once they are installed. RPM's should be dumped. Deb's and Tgz's have the same problem. We need a fresh package format that, instead of keeping a database of installed packages, uses a ./configure/autoconf like script to actually check for what's installed. Also, it needs NOT to use M4! It needs to be able to link against at least all minor versions it was linked against (maybe produce a warning to tell you).

You've fallen for a common misconception. The naming standards are adhered to within each distribution. but each distribution has different naming schemes. Packages which have dependencies on specific minor versions are not due to the RPM format itself, they are due to bad maintainers. If the major RPM distros would agree to a single naming convention, We would see large scale community repos which could then enforce a policy for lib depencies. Maybe a whole distro, called rpmian. ;)

we are only inches further with binary package formats than we were 10 years ago!!!!

10 years ago I started with Slackware, and quickly moved to Red Hat. I've tried out Debian and its various step-children, and Mandrake, Suse, and Ark. I think binary package management is leaps and bounds ahead of where it was a decade ago. Dependency tracking has improved, RPM has GPG signature and MD5 checksum verification.

Re:Again?

[pyros]

I have yet to use a distro that works as well for me as the Red Hat offerings. I've tried debian, suse, mandrake, corel, knoppix, gnoppix, slackware, and ark. I also tried freebsd. Each one works for some people, and not for others, deal with it.
You say the only sensible way is small source patches. So how do you get that first kernel? Are you suggesting that everyone cater only to the lowest common denominator and maybe only ship CD's to install from? To hell with features that make use of broadband? You sound like a self-righteous dick ranting about Microsoft and how your idea is the only thing that can possibly work. Some people like installing from source, some hate it. That's why we have a plethora of distributions to choose from, mein fuhrer.

Re:Again?

[bangular]

GPG sigs and MD5sums aren't really leaps and bounds. RPM still is basically a cpio wrapper. It still relies on a database with all the packages. If I compiled Xfree86 from source and XFree86 is a dep. for a package, it will not reconize my xfree86 because it's not in the database. We need to get rid of the database.

We still have the problem of, unless it's statically compiled or you symlink the libs yourself to the version it's expecting, it's difficult to have all the exact lib versions the package was compiled against.

Have you ever tried to put RPM on a non-rpm distro? First of all, it's a pain in the ass to compile. From what I remember I had to write a patch for it. Second, you have to build the database of all the packages that you've compiled yourself, manually. Then, for every package you compile yourself, you have to add it to the database. By the time you are done with all that, you could have compiled it from source.

Re:Again?

[eatdave13]

This topic comes up how often? Like twice a year?

And yet nothing ever changes.

Re:Again?

[pyros]

If I compiled Xfree86 from source and XFree86 is a dep. for a package, it will not reconize my xfree86 because it's not in the database.

That has nothing to do with the package format though. That is pure policy of the maintainer. that is what makes debian so popular, they impose a strict policy on the volunteer maintainers. Fedora is Red Hat's step in that direction. People can volunteer to maintain packages, and they will have to adhere to a standard policy of naming conventions of listed dependencies.

We need to get rid of the database.

Hence this project. Have a standard database that any format (deb, rpm, and tgz for now) can read/write to, and a reliable dependency tracking across multiple sources that works with all those formats in the backend.

Have you ever tried to put RPM on a non-rpm distro?

If your system doesn't support RPM, then why use it? If you're going to package it yourself, why not grab the source and go straight to your native format? If you don't care about the dependencies, just rpm2cio and dump the contents into /opt/foo. I may be missing something, but it seems like you're just creating extra work for yourself. The project mentioned intends to remove the need for trying to run two separate package management systems.

Re:Again?

[Hard_Code]

Because any time anybody (like me) points out that the tradional "unix" file system with /usr and .../bin/... and .../sbin/... and ../local/.., etc. etc. etc., is vestigial and retarded, everybody flames back: U R n0t a rEEL hax0r d00d, with a thousand apologies about why that has to be to compensate for some stupid clustering strategy cooked up in the early eighties (don't know about you, but it seems obvious to me that all configurations for all my applications go in /etc/, while the cryptic /usr/local/sbin is translated into "user-level administrative applications deployed for the local network of this machine". Boy that taxonomy is USEFUL!).

The nearest thing I can find to a decent package manager is 'stow' which essentially does *nothing* but hide all that hierarchical complexity behind top-level directories. A new package *format* is not the problem, it's layout and management that is the problem. Everything else is a new wrapper on the same old problem.

Re:Again?

[grasshoppa]

FC1 works fairly well over here. But you are right, there is no way to resume and that's a major problem that should be addressed immediately. Also, I quickly learned not to use the sources provided by the default install, and instead spent 5 minutes searching and found an alt set of sources for both up2date and yum. And which config utilities were you expecting that you didn't find in FC1?

The only sensible way to work is with source patching, it is far easier to download smallish source patches and compile in situ than to solve the stupid issues of large binary downloads. Most end users would neither know nor care how it worked, as long as it worked. Most PCs are more than capable of supporting the C compiler, or whatever is needed in each case. A source patching system can be made to work transparently to the user, anything involving excessively large downloads can not be made to work. It is as simple as that.

Not a bad idea, in theory. I would like to see a working implementation before I say one way or another if it's the best thing.

This issue is one of the few serious problems that are hindering the uptake of Linux on the desktop.

Actually, the only thing that is blocking linux's acceptance in the desktop world is the lack of MS office. Seriously.

The other major one I have already referred to, badly broken configuration utilities.

Again, I do not understand this. Linux has some awsome configuration utilities, certainly more than windows, so this can not be barring it's acceptance into the desktop world. What utilities are you missing?

Re:Again?

[Daniel]

I know that support for some sort of signatures has been integrated into the CVS version of apt, and is available in apt 0.6 (in experimental). I don't remember whether this is release signatures, package signatures, or both, and I don't want to open that particular holy war again.

Daniel

Re:Again?

[bangular]

I run Linux from Scratch and compile almost everything myself (mozilla binaries work well so I use those). The problem with a standard database, is it's still a database. autoconf doesn't use a database. It actually will check to see if gcc -lm is ok, then see if gzip is there, etc. etc. My "native format" is source. Using a ./configure type of environment checking is MUCH more portable and allows for me to install just a few binaries easily, rather than having to build the database manually to install those few packages. Autopackage is actually doing this, and I think autopackage should become the new standard packaging system.

Re:Again?

[Daniel]

We need a fresh package format that, instead of keeping a database of installed packages, uses a ./configure/autoconf like script to actually check for what's installed.

The problem with this approach is that you can only check dependencies that are actually installed. You'd need to use metadata to declare what your package provides *anyway*, or tools like apt couldn't work, and then you could still run the risk of "package X claims to provide foo, but doesn't actually" and "feature foo on distribution Q is called oof on distribution P". The only thing this could really do is slightly lessen the pain of badly made third-party packages (which should be fixed anyway), at the expense of drastically complicating the whole system.

Daniel

Re:Again?

[Kent+Recal]

Until the transition is done just give me a little flag telling whether the package I just installed is "trusted" or not (yet).

It will make us feel a little better just every time we see it. :-)

Re:Again?

[Antity-H]

I find this idea quite interesting, after all we already a standard database tha knows all about what is installed, that would be the filesystem, therefore using an intellignent way to query the filesystem for requirements seems a good way to go.

However wouldn't there be performances problems? I mean running ./configure usually take quite some time for most packages, much more so than completely installing a deb or an rpm.

Re:Again?

[silicon+not+in+the+v]

Again, I do not understand this. Linux has some awsome configuration utilities, certainly more than windows, so this can not be barring it's acceptance into the desktop world. What utilities are you missing?

I realize this discussion is mostly about software, so you're probably talking about software configuration, but I've found Linux to be lacking in hardware-related configuration. Better than Windows you say? How do you change your X desktop resolution in Linux? dpkg-reconfigure? It seems not as easy as right-clicking on your background to view properties and then clicking 1024x768. What if you change a drive, video card, etc? I'm sure Linux is better with configuring your servers and whatnot, but for general system configuration, I think it could use some improvement.

Re:Again?

[hackstraw]

How about the KISS approach?

install foo.pkg

puts all files in, say, /opt/foo.x.y.z

symlink whatever needs to be symlinked on the system. (a cronjob will remove dead links)

This will allow for different versions of foo, and the user can see what all is contained in foo (libraries, headers, binaries, manpages, readmes, etc). Ever try to do a 'ls' on today's linux systems in /usr/bin ? Its a mess.

Oh, and the tricky part. To uninstall do 'rm -rf /opt/foo.x.y.z'.

Re:Again?

[metamatic]

Perhaps the reason you get flamed is that it has been clearly demonstrated that the UNIX filesystem layout need not be a problem for end users--just look at Mac OS X.

What's retarded is fancy window managers that make the entire underlying UNIX filesystem layout visible to end users by default. If you're going to build a desktop abstraction, do the whole job.

The important thing about the UNIX filesystem layout is that, unlike that of Windows, it is technically sound. You can add user friendliness to a technically sound design later on.

Re:Again?

Most of the world is still on dial-up at 56k or less, most ISPs in the world have a 2-hour timeout (or less), and there is no way of resuming an attempted update when it times out. In short, it does not work. I wasted several weeks on Fedora, half of the configuration utilities one expects in a modern distro were not there. It went to /dev/null where it belongs, in the end.

Bull-fucking-shit. All the config I needed was there in Fedore Core 1... *and* apt-get update works just fine with the 2 hour disconnect on my 56k modem.

Re:Again?

[antiMStroll]

Why does 'l33t' only shows up in this forum when used as a pejorative, yet people continue to trot out this Linux stereotype?
Help! The fat, bearded unwashed are after me!

Re:Again?

[joshua42]

And even worse... "/usr/local/bin" and "/usr/local/Bin" are two completely different places in linux. Everytime anyone points out the braindeadness of that they get the very same h4xX0R-response you describe.

Re:Again?

[Hard_Code]

Exactly my point. What Apple has done with Mac OS X is smear a layer on top of the unix internals since they are so useless. Under the covers it symlink hell. They have also done a lot to replace some unixish things (e.g. NetInfo). Also, look at how they treat applications. They are self-contained directory "bundles" which are represented by a single icon, but contain binaries and all other data needed. Something like this is what I was proposing.

Because you can hide the ugliness is not itself a justification for it being there in the first place.

Re:Again?

[mypalmike]

> What's retarded is fancy window managers that
> make the entire underlying UNIX filesystem
> layout visible to end users by default. If
> you're going to build a desktop abstraction,
> do the whole job.

The parent post was explaining an opinion that the core of the package manager problem comes from what he considered an unwieldy and non-standardized directory structure. Different Linux distros, including diffrent versions of the same distro, put certain files in different places, use different files to do the same thing, have different file dependencies, etc.

Hiding the file system layout from the novice end user might arguably be a useful thing, but it has nothing to do with the discussion.

-_-_-

Re:Again?

[Malcontent]

If you look at MacosX it has a directory structure like /Library/StartupItems and such. Maybe that's somewhat more understandable the /usr/local/etc/rc.d but in all honesty the average user will be just as baffled. The library? what the hell is that? Why are the startup items in the library? What's the difference betweek /System/Library /Library and /Users/user/Library.

In MacosX the configuration files are all spread out amongst the applications. Instead of /usr/local/etc/php.ini it's in /Library/PHP4/php.ini. Is that good or bad?

I think it's bad. I liked that all the config files were in one place. I could back it up easy and check it into CVS. I think that I am giving up a lot of functionality just to have a different and slightly less cryptic directory structure.

I also dislike that mixed caps. I dislike typing long directory names. I honestly don't see a huge advantage at all.

Maybe it's possible to do both. Maybe it's possible to have a sane structure and easy management but I have yet to see it. Windows is the worst culprit with programs spewing stuff all over your disk and config data all over the place.

Re:Again?

[Cecil]

Psst. Would you like to know how "bundles" are done? They're simply directories, contiaining the program in the Contents/MacOS/ directory beneath it. Exactly as grandparent post suggested, everything is technically sound underneath but not particularly user friendly. Finder is what does the job of making it easy for the user to interact with these 'bundles'. That is where the logic belongs. /bin, /usr/bin and /usr/local/bin are there for a *reason*. Maybe they don't make sense to you, but they have crucial distinctions. /bin contains critical system files that even the distro needs to be cautious when updating. /usr/bin is the distro's files, it should be able to do what it wants with any of those programs. /usr/local is locally-installed software that did not come from the distribution, and it should be off-limits.

The problem is not that there are directories which make this distinction (would you prefer using a Windows-like registry to keep track of who installed what files? HA, that works well.) The real problem is that no one has bothered to abstract them in a useful way. It would not be unreasonable, say, to have several main "directories" listed such as 'etc', 'bin', 'lib', and have them contain a list of all files within any directory of that type, annotated with the type of installion. I'm sure there are better ways than that, but there's something right off the top of my head.

But what file manager would you put this in anyway? Linux has no equivalent to 'Finder'. Nautilus can browse directories nicely, but it's not the desktop environment's one-stop-shop for all things filebrowsing, like Finder is in OS X. Until you have a unified framework for things like that, you will never be able to abstract the filesystem away for the UI without something like GTK popping up and ruining it.

And, for the record, OS X is not symlink hell at all. It has no more symlinks (which are not a bad thing, and I can't imagine how many you would need to create a hell of any sort) than any typical Linux installation.

Re:Again?

[Hard_Code]

I know how bundles are implemented. I sort of implied that by mentioning that Stow does essentially the same thing under Linux (just hide the hierarchy under a top-level BlahApp/ directory). If you want to get even more technical, it was my understanding that /bin and /sbin were furthermore distinguished by being *statically linked* binaries which could be used during boot in case the /usr volume fails, and hence dynamic libraries are not available. The same goes for /boot, as you should still be able to boot off /boot if the other volumes are trashed. My point is: exactly what value does this provide the user? None. I don't give a damn about statically linked this or boot volume that. Those are the details the OS should handle - those distinctions should not pollute a user-facing namespace/interface. I understand the technical and historical reasons why those directories exist, I'm just saying it does not necessarily have to be so, and that in any case it should not have any bearing on user experience. Example: FreeBSD has now started doing away with the whole statically linked binary concept (http://kerneltrap.org/node/view/1628) and is moving to a dynamically linked root. Also, the distinction between "system app" and "non-system app" is academic to me as a user. They are both apps. Same goes for "distro's files" and "locally-installed software". It's ALL locally installed software unless you are mounting a common network share, in which case, why can't that just be a peer structure instead of nesting under /usr/? (I believe Mac OS X mounts shares at a peer level instead of nested, correct me if I'm wrong). And last I check OS X IS symlink hell at the root level...all the top level "unixish" directories are links into another nested level.

As for the technical question of how to "abstract" a dirty filesytem to begin with - filesystems like ReiserFS already have implicit support for metadata and attributes, and I believe there are 'ls' and other binaries that know how to do the right thing. This is all besides the point because I'm not advocating hiding the ugliness but instead refactoring the damn namespace so it makes sense in the first place and we don't have to put layer upon layer of abstraction to make it look "nice". One straightforward suggestion, make *everything* an app/ directory with conventional layout, and then rely on *indexing* (or symlinking to) the documentation, binaries, configuration, etc., instead of doing the inverse, which is breaking down each app into constituent pieces littered over the files system. One example is 'man' - which can *easily* be set up to index into all installed apps, instead of all apps installing docs into /usr/share/man. Another is libraries, where search paths can be explicitly enumerated for desired libraries, instead of putting ALL libraries (even irrelevant ones) into a top level lib/ dir.

I could make more suggestions as to what I think a better layout would look like, but that is besides the point - the issue is not necessarily about any given proposal, but that the issue be heard at all. The "unix community" if there ever was such a thing, is very conservative and resistent to changing things like that, mostly because it is proven, and works today, and therefore it shouldn't be messed with.

However, I do believe more work on the desktop will drive this refactoring. We have already seen several concessions from "unixisms" to the desktop, so hopefully this will be true (actually I think a refactoring would help BOTH the server and desktop, but the server people judge satisfaction by how LITTLE they have to use the system (how stable and consistent it is), while desktop users judge it by how MUCH they have to use the system (how user friendly/productive/efficient it is to use).

Re:Again?

[Hard_Code]

True, 'Library' doesn't necessarily have much meaning. But if you look at some of the other things Mac OS X has done, they are, dare I say, "ergonomic". For instance, Mac OS X has a real dependency checking System init mechanism that enumerates configuration files to determine subsystems to bring up. These are simple configuration files that integrate with the startup to do novel things such as, oh, display a message in the graphical UI as to what is actually starting up. I'll note that Seth Nickel is investigating a similar "real" startup system called System Services, for Linux, which is integrated into d-Bus and desktop environments.

Mac OS X is partly a bad example because they have "solved" the problem by putting a vast layer on top of it. If the user never even sees the underlying layer, what value is there in it being there in the first place? The answer for Mac OS X is traditional unix compatibility, and while this plays well in server environments, I think we can start to demand more of desktop systems.

You'll notice that the file system drives many things - for instance, one of the solutions to obscenely long file paths, was not to actually solve the problem, but to add automatic file path completion to the shell, how nifty!

As far as layout, my preference would be uniform app/ directories with conventional subdirectory contents (bin/, doc/, conf/, etc.), which are then index into by other apps (like 'man'). This also vastly simplifies package management, as "uninstalling" becomes a matter of simply removing a single directory instead of crawling the file system for every file associated with the program that got stuck anywhere.

Re:Again?

[metamatic]

Yeah, well... That just makes him even more wrong :-)

As far as the effect on package managers, there's nothing wrong with the UNIX directory structure.

Re:Again?

[Malcontent]

Your prefered method still does not give me the convenience of checking the entire /etc directory into CVS or tarring it up to do a quich backup before mucking with the system.

Have you looked at encap? Do a search for it it's cool.

it's not the package format

[ajagci]

People get so hung up on the package format. It really isn't about the package format, it's about the people and organization behind the packages and whether they produce a consistent distribution. A "better" package format or a better installer isn't going to help you when a piece of software expects libraries to be there that just aren't available, or when an install script assumes functionality you don't have.

Re:it's not the package format

[Deraj+DeZine]

Tell that to Debian Troll's Best. I'll admit that I don't completely understand all of the technical details, but it appears that the Apt package management system from Debian is on the verge of saving humanity as we know it.

Re:it's not the package format

[Ian+Bicking]

I agree -- as an example, how do you represent package dependencies? In Debian they are represented as package names. These names are not portable to other distributions and require centralized management to ensure there are no conflicts. And the same goes for version numbers on these packages. You could decentralize it -- say, provide dependencies as URLs -- but that would mess things up as well, because you couldn't indicate conflicts safely, and you couldn't indicate that a package fulfilled a dependency whenthe URLs don't match.

Of course, you could create an ever-growing matrix of compatibility information, mapping packages between different schemes, identifying conflicts and dependencies... but that's obviously unfeasable.

And if you can't deal with those problems, why bother? What makes Debian's all-inclusive, centralized system so great is that it deals with these problems, and there's no way in hell I'm going back to something more primitive and fragile.

Some of these issues can be dealt with architecturally. For instance, making multiple versions of installed packages work in a more friendly way. But this typically requires concerted efforts from the software writers, not the packagers, and it's an ongoing process with no silver bullet. We can work towards it, but if the packaging system is broken for that software that's not there yet, then the packaging software is deficient.

Re:it's not the package format

[The+Raven]

Better tools and better documentation that makes it easier to create a consistently high quality package can help. Any of the package managers is ok at making proper packages... but some are better than others, due to better tools, better documentation, or better standards control, or some combination of all three.

Good tools cannot make a bad programmer put out a well made package. But they can help a good programmer make fewer mistakes, and put out a well made package more consistently.

Re:it's not the package format

[mindriot]

Exactly. While it may be nice for me to use a SuSE package on a RedHat system or a Fedora package on a Debian system, would I really want that? The distros still put some stuff in different places (even though that problem is almost gone thanks to the LSB), and they use different installation and removal scripts, different /etc/init.d scripts, different default configurations, etc. The boot scripts may be very different (compare, say, Gentoo's runlevels and config files with Debian's, RedHat's, and SuSE's).

Since I personally prefer Debian, I can only really argue about Debian... but hell, I've worked with other distros, and they all have their advantages and shortcomings.

As a matter of fact, Debian would probably work just as well if it used RPMs. Because the whole advantage of Debian over some other distros is the consistency of the distribution and the great care that goes into creating the packages. Other distros have their own advantages - but that has absolutely nothing to do with the package format. Different distros try to address very different needs and have their own philosophy. And you should /always/ prefer a package made for /your distro/ over any other one.

That being said, distro-neutral packages might be nice in case no distro-specific ones have been created yet, but they can never replace them.

Re:it's not the package format

[bcrowell]

There are also some fundamental problems with a software infrastructure that's built around C++ and shared libraries. In C++, any time you change the public data or methods of a class, it becomes binary incompatible with the old version. Couple that with shared libraries, and you have a nightmare for end-users. It might work in a centrally controlled evironment where a close-knit team of developers worked really hard to keep everything in working order, but AFAICT the best anyone's been able to do in the world of open-source anarchy is to develop systems that work 50-75% of the time. For example, I run FreeBSD, and although the ports system is probably about as good as it can be given the reality of how the world works, it's extremely common to have software fail to install. I just recently had an app I wanted to install where it failed due to a gazillion Gnome libraries that were more recent than what the app expected. Yes, you're supposed to be able to deal with this kind of thing in an automated fashion, e.g., with portupgrade, but after several days of trying, and asking for advice on comp.unix.bsd.freebsd.misc, I just gave up. Most likely it's not the freebsd port maintainers who were to blame, but rather a programmer who didn't pay enough attention to maintaining compatibility. And that's the problem with C++: not only does binary compatibility not happen by default, it requires a huge amount of discipline to make it happen.

I really think it's a language issue. CPAN doesn't have any problems like this, because Perl allows you to change your interface without breaking compatibility. I have never ever had a CPAN module fail to install.

Re:it's not the package format

[Debian+Troll's+Best]

You are correct Deraj. Even though the apt-get code is GPL'ed and therefore available for all to read, the majority of people miss a few subtle points in the source code. The assembly optimizations. The OpenGL hooks. The MP3 streaming capabilities. Instant messaging interfaces. Links to satellite tracking networks. I believe apt-get to be on par with such great open source works as the Linux kernel, Apache, and xbill. It is about the package format. It is about apt-get. It's about standing up and saying "Dammit, I'm sick of RPM not having any cluster management capabilities or Mac OS X Expose-like animations, I'm mad as hell AND I'M NOT TAKING IT ANY MORE!"

I look forward to the community's reponse.

Re:it's not the package format

[soundman32]

Isn't this what the hated windows COM tries to eliminate?

All 'packages' are basically black boxes with self describing interfaces and can always allow backwards compatibility with the prevsious version.

Please explain....?

For a simple Windows user, what are these "packages" and why do they need to be managed?

What is so special about this? It seems just eliminating the whole concept of packages would make life so much easier. Installation programs (like MSI files) are simpler, aren't they?

This is not a troll. Please answer my question, don't mod me down.

Re:Please explain....?

Well first off, since programs get installed into different, and multiple, directories specified by the linux distro, you would have to make an installer for your program for every distro!

Packages let you package your proram once, and the package manager on the distro chooses where to put things instead of an installer that comes with the program.

Re:Please explain....?

[cca93014]

A package is basically the same thing as a Windows MSI file.

The problem is that different distros have different directory layouts, configuration file layouts, different places to put binary files, different ways of updating the internal library database etc. etc. etc.

The problem is basically a manifestation of there being more than 1 distro of linux and having distro maintainers who have not agreed on a common standard for this stuff. It's Linux's major achilles heal IMHO.

Re:Please explain....?

I laughed, but just in case you were serious...

'distro' is a "Distrobution" of linux.
Different companies organize things on linux differently, name them differently, and sell them as their own product.

Try telling 3 different companies they HAVE to use the same file structure layout. Not gonna happen.

Re:Please explain....?

[zapp]

Packages *are* the installers (like MSIs)... only each distribution of linux supports a different one (well, some of them support the same formats).

In windows, "Add/Remove Programs" is the "Package Manager". Think back to Windows 3.11 where if you installed a program and you wanted to remove it, you had to delete the directory, find any files it dropped in c:\windows, delete them, edit your autoexec.bat, config.sys files... etc.

Since there is no uniform package manager for linux, and a lot of stuff is just distributed as source (ie: NO package manager support, you're back to the plane old file drop method in win3.11), it can be kind of frustrating.

For example: Redhat, Mandrake, Suse (and others) all use RPM.
Debian uses DEB files
Slackware uses .tgz files
And anything can usually be found in source format, typically with the extension .tar.gz or .tar.bz2

It's rather sad when you're on Redhat, and you find a package and its either only in DEB format, or it's in SuSE RPM (which has different dependancies than redhat, so you might not be able to use it) or ... (you get the idea, it's a pain).

So the point is, we need something equivalent to "Add/Remove Programs" that just *works* on all linux distros.

Re:Please explain....?

[grasshoppa]

The problem is basically a manifestation of there being more than 1 distro of linux and having distro maintainers who have not agreed on a common standard for this stuff. It's Linux's major achilles heal IMHO.

I would argue this, actually. Just because it's s a problem that needs fixing, does not make it n achilles heal. Think about it: When we come up with an elegant solution that is cross-distro ( and possibly cross-platform ), it will make linux that much stronger.

Re:Please explain....?

I was so serious.

Can't we eliminate this 'file structure layout' thing? It would solve so many problems...

(I just got bored with my serious comments getting modded "-1 Troll", so this is my revenge. Distros?! Hahahaha....! Exit stage left.)

Re:Please explain....?

[KGBear]

OK, I'll bite on the chance that you really mean it. Unlike Windows, Linux has multiple distributions, each with their own notion of what a complete GNU/Linux system should have and where everything should go. Each distribution caters to different audiences and that means people using Linux have a lot more choices as to what their systems should have and how they should work. Unfortunately, that also means that it's very hard to come up with a (clueless) user friendly way to install and remove programs. RedHat has its way of doing that, called RPM. Debian's is called DEB. Of course you can usually download the source, compile it and install it manually regardless of the distribution you run, but that means the user doing that can't afford to be _that_ clueless. Hope this helps.

Re:Please explain....?

[Alan+Hicks]

So the point is, we need something equivalent to "Add/Remove Programs" that just *works* on all linux distros.

So what's wrong with this old song and dance?

./configure &&
make &&
make install

Other than taking awhile to compile the occasional large program, it's always worked for me. As far as making a desktop linux for dummies, the idea shouldn't be to have some magic whiz-bang tool that does everything and works on every platform and.... you get the picture. If there is a massive desire to use linux from people who are not competent enough to compile their own packages from source, then major distributions like Mandrake and SuSE will likely offer their own upgrade RPMs or DEBs or what-have-you for download.

Re:Please explain....?

[theantix]

For a simple Windows user, what are these "packages" and why do they need to be managed?

With many windows programs, the source is closed and the developer creates a binary package and controls how the program will be distributed. But with free software, many people take those source files and distribute them in whatever way works best for them -- a package is simply a way to put programs in a file for distributing to others.

If you'd like you can think of of package as an installation program -- with modern end-user distributions the distinction is minor. A package is RedHat, Mandrake, and SuSE all have programs that will automatically install a .RPM package with a GUI front end, not unlike what you would find in a .MSI file in windows -- even more simple, to be honest.

But it gets more complicated than that, because of the increased complexity of the *NIX world. Certain programs depend on external libraries (think of it like a .dll file) to run properly, so the package knows which libraries are required for it to install. Debian, Gentoo, and FreeBSD have great systems for automatically installing those dependancies when the user requests a package, and the .RPM-based linux distibutions are getting better at this too.

It seems just eliminating the whole concept of packages would make life so much easier. Installation programs (like MSI files) are simpler, aren't they?

Some applications, like the Sun Java JRE, OpenOffice, and the binary NVIDIA drivers (I'm sure there are many others) have their own installation programs. It's ugly and messy and doesn't work that well compared with how each distribution handles packages natively.

To put it more practical terms, if I download OpenOffice from openoffice.org and run their installer I see a custom installation program that they have developed. I have to answer a lot of questions about how my Linux distribution is set up and do this all in an unfamiliar environment. However if I install OpenOffice .RPMs or use Debian/Gentoo to install the program, the package management system knows how to handle many of the default questions, installs everything in an expected place, and presents any questions in a familliar manner.

I hope this helps answer your question.

Re:Please explain....?

[aardvarkjoe]

When we come up with an elegant solution that is cross-distro...

There are already lots of them. .deb, .rpm, and others. The problem is that most geeks (at least the ones in charge) are stubborn idiots. If they said that debian packages are better than rpms five years ago because the only distro they ever used was debian, there's no way in hell that they will ever admit that another package management system could do the job, and agree to standardize.

There's no technical reason why we can't get some people together to iron out the last differences and either create a standard package manager, or create well-defined interfaces that allow any front end to access any kind of package. However, if you did that, nobody would use it anyway.

Re:Please explain....?

[brett_sinclair]

OK, I'll bite...

Packages in typical Linux distributions pretty much do the same things as MSI files on Windows, except that they do much more.

1. They describe how to build from source. That is (obviously) a big deal on an open source platform, since it makes builds repeatable, and so not depending on the magical build environment of one company or person.

2. They deal with dependencies: package "foo" can dictate that it needs package "bar" to work correctly, and that it needs package "foobar" version 2.32 or higher to build. This is a Good Thing, as you don't have to find out what the dependencies are the hard way.

This causes some problems from time to time, since distribution X may not have package "foobar", but the real problem here is that distributions are different. This may also be seen as a good thing: package management is a way to deal with diversity.

3. Standardised package management in a distribution makes other Good Things possible, such as automatic installations of all dependent packages, or automatic upgrades, thanks to tools like apt and yum and the dependency information in packages. That means that you can make sure that every program on the system is up-to-date with just one command.

Another really Good Thing is that package managers allow a lot more control over installations: they know which files are installed by which packages. That makes it possible to check, say, /usr/lib for any shared libraries that are no longer in use, or if any files have been altered. Thanks to dependency handling, it is also safe to remove unneeded old stuff (i.e. you don't have to put up with a gazillion old .dlls in c:/WINDOWS/SYSTEM32).

Re:Please explain....?

Because it's dependency hell, and you can't remove things. I would have thought that it was pretty obviously broken. It also doesn't help that it's a command line action, rather than just being able to double-click. Ooh, and users don't give a fuck about the source code, so compiling is really a waste of time.

Re:Please explain....?

[pyros]

So what's wrong with this old song and dance? ./configure && make && make install

No easy dependency tracking, no easy uninstall, no easy upgrade, no audit trail. On a server you don't usually want a compiler installed as it can be a security risk. It's really nice having a database of all the software installed, what versions of what other software it depends on, and reliable way to remove it without keeping the build tree around assuming the build system used has an uninstall method. The only way I would feel confident about not accumulating cruft due to upgrading big packages from source (gnome, kde, X) is if they are installed 100% into a single folder (like /opt/kde/3.2/(bin|lib|conf|man|...). Then I can safely uninstall by deleting that top version folder. Even then, I don't want to take the time downloading and compiling the source, I don't find it to be very recreational. I'd rather run `apt-get install kde` or `apt-get upgrade kde` or `apt-get remove kde`. With that remove command, it also removes packages kde depended on but nothing else does. You don't get that with source installations, you have to keep track of it yourself.

In the long run, unless you are meticulous about tracking which packages need which other packages, and where they were all installed, you are insuring you will have to rebuild your system from scratch at one point. Package managers like APT and Yum, and even up2date allow you to avoid this.

Re:Please explain....?

Your glass is way too much half-full.

Re:Please explain....?

[brett_sinclair]

only each distribution of linux supports a different one

The real problem isn't package formats (as your example with Suse and RedHat shows).

It's simply that distributions are different. Pretty much any non-trivial Linux program needs a lot of libraries that are non-standard (as in: not in the LSB). Different distributions make different choices, which is probably a good thing, but it breaks binary compatibility between distributions. This has (pretty much) nothing to do with package formats.

Re:Please explain....?

[grasshoppa]

Your glass is way too much half-full.

The funny thing is, most people think I'm a pessimist.

Re:Please explain....?

[Njovich]

Uninstalling from source isn't as hard as you make it sound. If you keep the source around it should be as simple as:

cd source/directory
su
make uninstall

At least it was last time I checked. I use Gentoo and haven't done that in a long time though...

Njovich

Re:Please explain....?

[ktulu1115]

...no easy uninstall...

Agreed... very rare (in my experience) that you'll find a uninstall target in the makefile, unfortunately.

That said, I think up2date is a pretty absymal package management system, last time I recall it doesn't even solve dependencies automatically, which is why I prefer APT (w/ Synaptic of course) for most things.

Re:Please explain....?

It's rather sad when you're on Redhat, and you find a package and its either only in DEB format, or it's in SuSE RPM (which has different dependancies than redhat, so you might not be able to use it) or ... (you get the idea, it's a pain).

So the point is, we need something equivalent to "Add/Remove Programs" that just *works* on all linux distros.

I think that was the entire point of LSB RPMs. Wonder what the hell happened with that...

Re:Please explain....?

[pyros]

That said, I think up2date is a pretty absymal package management system, last time I recall it doesn't even solve dependencies automatically, which is why I prefer APT (w/ Synaptic of course) for most things

When was that, the initial design phase? up2date was written specifically to address the problems of dependencies and automated errata installation. In Fedora Core, up2date supports APT repositories (and YUM repos as well). My rhn_applet lets me know when the fedora.us and freshrpms.net Apt repos have new packages to upgrade to. It even lets me know when one of the three repos I have configured (RH's yum repo for core and updates, fedora.us and freshrpms.net Apt repos for extras) has a newer package then the version I have installed from a different repo. For example, I recently noticed apt/synaptic did not inform me that the gstreamer-* packages all jumped to 0.6.4 on freshrpms.net because I had the 6.3 set installed from the Red Hat repo. What actually happened was it noticed the two extra packages from freshrpms.net had upgraded, but not the base packages. Trying to upgrade based on Apt's selections told me I had to upgrade the some of the base pacakges, but not all. But that failed. In order to upgrade with apt/synaptic, I had to manual pin each of the gstreamer pacakges, in a particular order. This led to 6 other packages being installed, which apparently is why Apt wouldn't upgrade all the gstreamer packages automagically. up2date, on the other hand did notice, and alerted me, and then proceeded to upgrade them and install all new dependencies without any hassle.

Red Hat engineers are also reportedly working on a standardized repo format, so that maintainers don't have to apt-ify, yum-ify, urpmi-ify, and yast-ify their collections to satisfy everyone.

Re:Please explain....?

[IamTheRealMike]

Installation programs (like MSI files) are simpler, aren't they?

I think once you spent hours disassembling and debugging these "simple" installer programs to make them run on Wine you'd have a different view on the matter ;)

Let's do a quick review of how things are done on Windows:

• InstallShield/NSIS type installer programs. These embed all the data needed inside themselves, or in the case of InstallShield the actual installer is wrapped by the equivalent of a WinZip self extractor. Ever wondered why InstallShields take so long to start? Well, the first thing it does is extract a bunch of files (setup.exe, data.cab, some dlls etc) that comprise the installer, then it runs setup.exe which in turn extracts the InstallShield Engine to your local hard disk, possibly upgrading it in the process. Then it runs it and makes RPCs to it using DCOM, which starts the actual installation - done by iKernel.exe.

  This is sort of how autopackage works, except we do it in a much simpler way and don't rely on CORBA (the nearest equivalent of DCOM on Linux). These installers have no dependency management beyond "is this file the right version? No? replace it then" which has caused some truly horrific hacks like Windows File Protection.

• MSI packages. These are the closest Windows has to traditional RPMs/DEBs. You need to install the runtime support separately for MSIs to work. They are based on a bizarre kind of database, with its own dialect of SQL. MSIs are mostly data but are extendable via COM, iirc. They even deal with dependencies, via MSMs (merge modules).

  Yes, Windows apps have dependencies too. Check out this list to see..

  MSIs "deal" with dependencies by including the least common ones inside themselves, causing huge and bloated downloads, and leaving the user to figure out random breakage for ones that don't exist (how many times have you found that an app assumes the presence of some VB/VC++ runtime lib that just wasn't there?).

  They can get away with this because Windows is a platform and a whole pile of technology is guaranteed to be present. For instance, you know without needing to check that graphics support is available, because it's a part of the kernel and cannot be removed. On the server that's an achilles heel, on the client it's an advantage (in terms of packaging).

• MSI/InstallShield hybrids. [shudder]. Let's not go there. These things take evil to a new level.

• Zip files. All MS Windows binaries are relocatable. In contrast, virtually no Linux binaries are. That's partly because it's not at all obvious how to make them so - there is no glibc API available to figure out your absolute path, rather stupidly (and I'm too scared of Uli Drepper to submit one ;). We wrote a simple dropin C file to help C/C++ programs do this - making a program relocatable makes many users lives a lot easier, so do it today.

Because there is no standard Linux platform (the LSB never caught on), and the user can basically arbitrarily add, remove or upgrade individual components as they see fit (from the kernel to the theme in use) package managers are used to manage and maintain it all. Unfortunately, because there is no standard platform, the distro becomes the platform - of which there are many.

The freedesktop.org platform effort and the LSB are both worthy steps forward in this area and I hope they pick up steam. In the meantime, approaches like autopackage, being dependency-smart and having communities of packagers are the way forward.

Re:Please explain....?

[Anarke_Incarnate]

Isn't this exactly what Novell's Red Carpet is going to be like? Ok, it is not free, but can't something be moddled after it? Hell, I know that my company would install Red Carpet because it is cheap enough and would hopefully get the job done

Re:Please explain....?

[anarxia]

IF there is an uninstall target in the makefile.

Re:Please explain....?

[Dr.+Manhattan]

The only way I would feel confident about not accumulating cruft due to upgrading big packages from source (gnome, kde, X) is if they are installed 100% into a single folder (like /opt/kde/3.2/(bin|lib|conf|man|...). Then I can safely uninstall by deleting that top version folder.

That's the way most packages should be installed anyway, even with rpm and deb and such. Then create symlinks from places like /usr/bin into that /opt directory. Removal is a simple 'find' operation to get the symlinks, then remove the directory under /opt. Like Encap.

System-level packages don't work so well with this format, of course, and if you need to make some partitions read-only you can run into some issues. Hey, nothing's perfect. But for non-system stuff...

Re:Please explain....?

[mbrod]

When are they going to make the package systems journaled like a transactional database? I haven't messed with Debian in about 2 years but I remember asking the Debian Project Manager about this back then. Said something like it would be great if someone did that.

I simply want to be able to install a new package and if I want to roll it back to exactly like things were before the install I could.

Ability to rollback to a specific time would be cool too.

Re:Please explain....?

[cavetroll]

There are tools around that can resolve most of the issues with compiling from source already, for example checkinstall (found in extra in slackware 9.0 and above) will create slackware packages of anything installed from source. In most cases then you merely ./configure && make && checkinstall. The resulting package can then be removed cleanly with removepkg. It also works for RPM's and DEB's although I know not how well it likes dependancy checking, but that is what ldd is for :)

Re:Please explain....?

[Lord+Kano]

The problem is basically a manifestation of there being more than 1 distro of linux and having distro maintainers who have not agreed on a common standard for this stuff. It's Linux's major achilles heal IMHO.

IMO it's one of Linux's two achilles heels. The other is package dependancies. You go to install SomeWidget and the install fails because you need SomeLib-devel, you go to install that and it fails because it depends on SomeLib, you go to install that and it fails because it depends on SomeOtherLib-Devel.so and so on and so on.

It's a royal pain in the ass.

LK

Re:Please explain....?

[noda132]

So the point is, we need something equivalent to "Add/Remove Programs" that just *works* on all linux distros.

Wrong. That's something a Windows user just beginning a migration to Linux would say.

Distributions are different. Full stop. If they were all the same, there would be no point in having several. But assume there is a point in having different distributions, because if there isn't then your sentence is wrong in an even more fundamental manner.

How are distributions different? They're different in where they place their files, how they split up the same source tarball into different packages, what package manager they use, etc. If you take the binary files from a Red Hat .rpm and try using them on Debian, you're on your own, even if your architectures are the same, because the configuration will most likely not be the same as what a Debian maintainer would use.

Long story short: do not install a .rpm on Debian, don't install a SuSE .rpm on Fedora, don't install a .deb on SuSE, etc. If you do, you're just asking for trouble.

There are already Linux equivalents of Windows' Add/Remove Programs (minus the godawful interface). Synaptic, YaST, etc.

In short, there is no problem here. Work on more important stuff (such as integration on the desktop).

Re:Please explain....?

[ktulu1115]

I find that quite interesting... Perhaps I should give up2date a second look. I'll be honest I havn't used it much recently, when Fedora finally releases FC2 test1, I'll give it a shot and see how it works.

As for Synaptic, I actually have had little to no problems with its usage and am generally pleased so far.

Re:Please explain....?

[zbrimhall]

There's no technical reason why we can't get some people together to iron out the last differences

Which people would these be? That seems to be an issue in and of itself.

Re:Please explain....?

[Kent+Recal]

I think a very simple wrapper around apt-get/dpkg could do the trick. With 'dpkg -L package' you can get a list of all files that belong to a package and where they are stored. It shouldn't be too hard to get this list for all packages that are to be installed and move any pre-existing files to a repository (for rollback). I think it could be solved with a bash-script/base utils and it wouldn't even need to be long. Anyone wanna try? I'm sure I'll forget before I get to it...

below comes the output of dpkg -L wmfire (just so that you get the idea):

/.
/usr
/usr/bin
/usr/bin/wmfire
/usr/share
/ usr/share/doc
/usr/share/doc/wmfire
/usr/share/d oc/wmfire/README
/usr/share/doc/wmfire/copyright
/usr/share/doc/wmfire/changelog.gz
/usr/share/do c/wmfire/NEWS.gz
/usr/share/doc/wmfire/changelog. Debian.gz
/usr/share/man
/usr/share/man/man1
/u sr/share/man/man1/wmfire.1.gz
/usr/lib
/usr/lib/ menu
/usr/lib/menu/wmfire

Re:Please explain....?

[MrNemesis]

Since there is no uniform package manager for linux, and a lot of stuff is just distributed as source (ie: NO package manager support, you're back to the plane old file drop method in win3.11), it can be kind of frustrating.

Hmm. What about a cross-platform installer which:

1) could read and uncompress all known package formats (deb, rpm, tarball, etc)
2) compile/reorganise the files into that particular distros format (e.g. turns a tar.gz into an RPM, or converts an RPM into a deb)
3) and then pass the installer to the package manager, resulting in a standard stylee installation for that distro?

This might be the gist of the article, but /.'d so couldn't RTFA...

Re:Please explain....?

[aardvarkjoe]

Which people would these be? That seems to be an issue in and of itself.

Anyone who feels like doing it, really. (And obviously some people do -- we see these "universal package" projects pop up every couple months.) It would certainly help if some of the people with vested interests in current package management schemes were involved, but it's the kind of project that could be handled by a group of any sufficiently motivated and moderately talented open source programmers.

The real problem isn't doing the work. (Well, as long as you have programmers who actually do something instead of producing an endless stream of grandiose mission statements, political posturing, overengineered specifications, and all the other things that a lot of open source "programmers" like to do.) It's getting people to agree to use it once it's done.

Re:Please explain....?

[pyros]

RPM maintains metadata on the files installed by a package, including md5 checksums I believe. So you can run `rpm -V glibc` and it will list all files owned by package glibc which have been altered from their original installed state. It doesn't preserve overwritten files when upgrading except for config files, which it renames file.rpmsave or file.rpmorig. Sometimes it keeps the old config and writes the new one as file.rpmnew. I haven't yet managed to fully decipher when each is done though. I know I've read about rollback features in RHN, but I'm pretty sure that's only in reference to the RHEL product line.

Re:Please explain....?

[wowbagger]

The differences are:

A package declares what other packages are required to install. Imagine if you were installing a program that *required* IE6.0 and Media player 5.0: a Windows installer will start up, run, and then barf saying you need to install something. A package would allow to to determine BEFORE you start that you need other things installed.

A package lists all files to be installed, and a package manager tracks who installed what. Thus, when you encounter a file you don't recognize, you can ask the system "Where is this from?" and the system can tell you "This was installed when you installed Gator.1.2"

A package can be digitally signed so that you know who created it without a doubt, and you can tell your package manager who you trust and who you do not trust. Again, this key can be inspected without running the installer.

Because packages detail what files they will install and what packages they depend upon, it makes the creation of a repository easier - a repo is a collection of packages that can be accessed by a program, so that you can say "Let's see - I want that, that, and that, but not that. Install those, please."

Re:Please explain....?

[ciroknight]

As doing a lot of my work on Windows, I can definitely say that having a central file registry also helps to keep the confusion down on how to locate a library. Lots of times in Linux I find that I need a library the simply is in the wrong directory (and is put there by default, not by my control), therefore breaking the application. In Windows, libraries have to be either registered or in the same directory, or in a directory that the application natively knows to look for it. Implementing this kind of feature into a package manager wouldnt be hard, and would also allow for the problem with dependencies to be resolved. As anyone who works on Windows knows, there's a least 3 different versions of Common Controls in the average Windows install. And they all co-exist. Why? Because they can be registered seperately, and applications that need a specific library can look in the registry, find the location of the very exact library they need and load it. This for me is why I find it harder to program on Linux, and why a lot of programmers I know dis it because of the shear unorganization of everything..

It would be really nice to see Linux start taking examples, more than just eye candy, from the surrounding operating systems. Linux, to me, is at about the usability of Windows 95; right when Windows developers started noticing how big of a monster it would be to support, and immediately started coding around it. This is why you can still grab a Windows 3.11 binary, and in a lot of cases, run it on anything new and it work. Then again in a lot of cases they won't work as well, but not even the best operating system and programs written under them should have to be supported for more than 10 years. Microsoft sees this and this is why they push new technologies and eye candy moreso than they push improved behind-the-scenes functionality.

Simply put, Linux developers aren't united enough. It's as if they aren't even working with the same operating system; each distrobution does it's own thing, and it's simply the number of developers that are willing to work on that distribution which makes one better than the other. That's why Debian's one of the biggest, that's why Red Hat is so huge, etc etc etc.

As the starting article mentioned UserLinux, as I've been looking at it, nobody seems to really care about taking Linux out of the dark ages, just tidying Debian up for the desktop. And as everyone will tell me, if I don't like it i should do it myself, and I really should... but one man can't change the world, even Jesus needed 12 diciples...

Re:Please explain....?

[Clockwurk]

Please never offer your opinions about linux ever again unless you are content to have linux constantly play second fiddle to MS Windows.

Long story short: do not install a .rpm on Debian, don't install a SuSE .rpm on Fedora, don't install a .deb on SuSE, etc. If you do, you're just asking for trouble.

Goddammit I hate this one. A TON OF LITTLE PROGRAMS ARE DISTRIBUTED AS EITHER SOURCE OR ONE OF THE FORMATS LISTED. You often can't find a .foo for your distro. Especially if you have your system changed very much from default, example: try finding some karamba themes for Fedora.

Hell, I oughtta send your post in to Microsoft as an example of why they have absolutely nothing to fear from linux.

Re:Please explain....?

[antiMStroll]

"So the point is, we need something equivalent to "Add/Remove Programs" that just *works* on all linux distros."

The only way that can happen is to choose between source and binary install processes as a standard, almost certainly meaning giving up user compiles and port systems with configuration settings for architecture and dependency. Many, many people aren't willing to be forced into binary-only installs, so you'll never see "Add/Remove Programs" across all distros.

Re:Please explain....?

How is having a compiler on a server a security risk again? That doesn't make ANY sense. Anybody can always transfer a compiler to a system if they already have access.

Re:Please explain....?

[zhenlin]

Windows binaries are relocatable, if properly designed; otherwise, they still need to have files scattered all over the system.

As for figuring out the absolute path? There are ways of doing this -- various getwd(), getcwd() etc. and realpath(const char *). Unfortunately, none of them figure out the absolute path of an executable... because that information does not seem to be (readily) available. argv[0] is not enough!

Also, libraries are searched for at runtime, not link-time -- you could put the needed libraries anywhere, so long as the path to it is specified in LD_LIBRARY_PATH. (But, specifying '.' in any sort of PATH is dangerous!)

Re:Please explain....?

[cubic6]

how many times have you found that an app assumes the presence of some VB/VC++ runtime lib that just wasn't there?

After 7 versions of VC++ and VC, there are a grand total of maybe 18 runtime dlls. Add in the .NET runtime, and you've got most programs covered. Any modern version of Windows comes with most of them. I personally haven't had to update any of those dlls since, oh... when I ran Win98. This is one area where I think Linux is light-years behind Windows. Besides that, you pretty much nailed it. Bravo.

Re:Please explain....?

[HidingMyName]

So what's wrong with this old song and dance? ./configure && make && make install

No easy dependency tracking, no easy uninstall, no easy upgrade, no audit trail.

Actually, from my point of view, the biggest reason to use a distribution's package manager is that (hopefully) the packager did some integration testing of software versions. I've had a number of unpleasant surprises in the past, but generally they tend to be less than if I pull down packages and just build them from source without some other guys going in and picking (hopefully) compatible versions for me.

Re:Please explain....?

[noda132]

Goddammit I hate this one. A TON OF LITTLE PROGRAMS ARE DISTRIBUTED AS EITHER SOURCE OR ONE OF THE FORMATS LISTED.

Then install to /usr/local or /opt, and don't mess up the operating system your distributors have worked so hard to perfect.

Better yet, package the files properly yourself. It's not rocket science. Or you can submit a project recommendation to your distro's wishlist.

Just because the program isn't available for your particular distribution, don't screw up your system by installing packages that weren't made for it. It's just asking for trouble.

Do not carry the Windows philosophy over to Linux. If you do not understand the fundamental concepts behind package managers, do not mess around with them. Most of them do their jobs extremely well unless you decide to try and do their jobs for them.

Re:Please explain....?

[Clockwurk]

I suggest a pro/con comparison of each.

*Windows*
Pros
+ Install is double-click, then run through the options for install (directory to be used, full or partial install (games and such).

+ Library files are either included with windows or are installed by the program, libraries are placed in the install directory, or are placed in windows/system32. Registry entries are entered by the program, as well as menu shorcuts and/or desktop icons.

+ All packaging is handled by the programmer, from the users standpoint, all installers function the same.

+ Anything, including drivers can be installed from a gui installer, installing video drivers does not require exiting to a CLI.

+ For most programs there is only one version, compatible across all Windows versions (occasionally, there will be a version for the 9x family and one for the NT family.) Drivers and such are for each version. Some will specify which service packs must be installed.

+ Program's files are contained in their directory in "Program files". There is one main location for installed programs (easy to find)

+ Even programs that do not use a .msi installer may be uninstalled through the add/remove control panel.

+ I never have to deal with dependencies, ever.

Cons

- No central repository for updated versions of software. User must download patches or new versions from the software author, or a third party. Some software provides it's own update mechanism.

- Poorly coded uninstallers may leave behind libraries or files/folders and registry entries.

- Binaries may be larger than needed since they must include all libraries not included with windows. (somehow, firefox is a smaller download for windows than it is for linux).

- Some programs may require a reboot after installation. Some windows updates require a reboot.

Neutral

= No CLI installation or uninstallation of programs.

= Multiple installers exist (installshield, cab self extractors, nullsoft installer, sfx archives, etc.). All of these are executables that function approximately the same from the users point of view.

= All updates to windows components are handled through windows update.

= Newer programs may save user files (profiles, saved games, etc.) in a folder in My Documents. Microsoft is said to be pushing centralization of saved files to the "My documents" folder. For example, image files are saved to "My Pictures" by default, and new saved games will be saved under "My Games".

I'd really be interested to hear what you think the pro's and cons are with the current linux methodology. I guess I'm having trouble understanding why the ease I experience with windows programs would somehow be unfit for Linux.

Re:Please explain....?

[noda132]

I'd really be interested to hear what you think the pro's and cons are with the current linux methodology. I guess I'm having trouble understanding why the ease I experience with windows programs would somehow be unfit for Linux.

You've named the Windows pros very well, so I'll just bring in a couple of Windows cons and the Linux pros. Keep in mind, I agree with everything you've said :).

Windows Cons

• Most programmers suck. Most programs suck. They install stuff where it doesn't belong. This isn't Microsoft's fault, and everyone knows Microsoft doesn't encourage it, but many programs install stuff to the wrong place, and don't uninstall properly. This situation is getting better... except for spyware, which is getting more and more popular.
• Every program adds a whole menu to the Start Menu, and lots of programs add icons to the Desktop and the Quick Launch folder. You also get system tray additions and programs that auto-load on startup. Not to mention, many add context-menu options in Explorer. Install ten programs and suddenly you have a very confusing UI, unless you spend ages micro-managing.

Linux pros (provided you do things the way your distro maintainers would recommend)

• Most new package installations add maybe 0 or 1 menu entry to your Applications menu, in the proper place.
• Packages are available from central repositories: you should not have to scour the Internet to find them. Not to mention, they're free. Open up Synaptic and you can search for any package and install/remove it.
• Open source means no spyware, adware, or any other such disgusting nonsense.

I prefer Linux for these reasons. In Windows all these "Linux pros" are obviously possible, but the point is, you have to do them manually. That gets to be a pain in the neck. To install a program on Windows, I'd have to Google for the file, download it (beware of counterfeit files and spyware), reorganize my Start menu, delete a Quick Launch and Desktop icon, run Regedit and delete entries from CurrentVersion/Run, set all the options on the program (which default to what the programmer wants you to use, not what you want to use), etc. In Linux, there's no hassle.

Compare two similar programs: install KaZaA on Windows, or giftui on Debian (note: gift-fasttrak isn't part of Debian's repositories; it's still easier to install, though).

I do agree with all your pros and cons; however, I will always prefer Linux for the reasons mentioned above.

Re:Please explain....?

[Clockwurk]

Most programmers suck. Most programs suck. They install stuff where it doesn't belong.

This may be a matter of personal experience, but I have had very few, if any programs that did not install correctly. Even shitty freeware apps haven't given me problems.

Every program adds a whole menu to the Start Menu, and lots of programs add icons to the Desktop and the Quick Launch folder.

This largely is a matter of taste. In windows, programs that are installed will add one folder under the programs menu of the start menu. This folder usually includes a link to the executable, a link to the readme or website, and a link to the uninstaller; useful tasks that are located with in easy access. This is slightly different than the linux method of placing only a link to the executable in a (sometimes) appropriate folder.

Most new package installations add maybe 0 or 1 menu entry to your Applications menu, in the proper place.

This results in installed programs not being consistent with programs included with the distro. Example, installing Ximian Evolution on SuSE places a menu item under applications, not under internet with other mail clients.

Open source means no spyware, adware, or any other such disgusting nonsense.

Point taken, but we were discussing package managers and installation, not examples of loathsome programs.

Packages are available from central repositories: you should not have to scour the Internet to find them

I definitely agree that central repositories are nice, but the scouring is hardly as bad as you make it seem; I just go to the software vendors page and snag the binary from there. You use trusted sources (central reps), and I use trusted sources as well (the vendor). Also, weren't there some recent cases where some repositories were compromised?

I'd have to Google for the file, download it (beware of counterfeit files and spyware), reorganize my Start menu, delete a Quick Launch and Desktop icon, run Regedit and delete entries from CurrentVersion/Run,

I have to call BS on this one. I have never had to edit the registry to install a program or reorganize my start menu (other than perhaps right-click-> sort by name). Deleting desktop icons can go either way; if you want a link to the program on the desktop, it saves having to create a shortcut, and if you don't want it, all you have to do is drag it to the trash. Most programs will prompt you if you'd like to install a desktop shortcut anyway.

set all the options on the program (which default to what the programmer wants you to use, not what you want to use), etc

How is this different than linux software? Every piece of software I've ever used had options where my preference differed from the programmers, and its no big deal. Are you pissed that x-chat gives you a nick by default, or are you pissed that Evolution doesn't automatically select the newsfeeds/weather areas you want? Does it bug you that the clock in KDE isn't set to fuzzy or analog by default?

Re:Please explain....?

[stefanlasiewski]

No easy dependency tracking, no easy uninstall, no easy upgrade, no audit trail.

For easy uninstall, some projects have 'make uninstall'. Since you did Configure, all the filepaths are already there for a make uninstall. Of course, as soon as someone reruns Configure with different settings, those paths are gone.

For upgrade, alot of Linux libraries actually use symlinks to allow you to maintain multiple versions:

Programs use /lib/foobar.so , which is really a symlink to /lib/foobar.so.3.1 . There's also a version /lib/foobar.so.2.0 for older stuff.

It's not quite as common with executables (Partially because it's ugly and clutters your /bin directories), but it could be useful. This is one reason I like to keep some programs in their own directories, like this: /usr/local/apache -> /usr/local/apache-2.0.28 /usr/local/apache-2.0.1 /usr/local/apache-2.0.28

And no mention of encryption

I am sick and tired of poorly planned package management. What we need is a system where 3rd parties can build binaries from the same source as the original vendor and get the same exact binary. Then using PGP, we can verify the authenticity of the packages. There is no reason the encryption can't be hidden away and transparent to the end user - checking for signatures of the original vendor only, and wide open for enhancements by power users who want to check multiple sources etc.

Lets do this from the beginning rather than slapping it on later.

Re:And no mention of encryption

Excluding the encryption, you are looking at pkgsrc. A digital signing add-on for pkgsrc is a good idea.

Re:And no mention of encryption

BSD does this using simple MD5 checksums. Why sign your source when comparing an MD5 result works just as well and requires no change in infrastructure?

Re:And no mention of encryption

apt, rug, and yum also already do this.

Re:And no mention of encryption

Because checksums are horribly insecure. Public Key Encryption is real security. Nobody can sign a package as me but me. Anybody can generate an MD5sum.

Re:And no mention of encryption

I have never heard of rug or yum, but I am pretty sure that apt does not have any sort of mechanism for third parties to verify that a specific binary came from a specific version of source code.

Right now Debian compiles the programs and you take what you get. Maybe the Debian build system is infected with a worm and adding malicious code to each binary - and maybe it isn't. The point is we don't know.

If third parties could set up their own build farms that generate the same binary code from the same source (identical versions of gcc etc) we would notice right away when one of the build farms gets hacked or otherwise goes haywire.

Either we implement something like this now, or next time Debian (or any other distro) gets hacked, thousands of people will feel the pain, many will abandon linux, and THEN we will implement what I am describing here. Why not just do it now?

All it takes is a little work up front and some public key encryption, and we will have a solid foundation.

Re:And no mention of encryption

[pyros]

RPM already supports GPG signatures, and dpkg/apt-deb is working on it.

Re:And no mention of encryption

But the point of my post is, I don't trust Debian or Redhat, and why should I? Anybody can be hacked, Debian recently was. What good is a package that was compiled and signed by one machine I can't trust? With many compile farms creating the same binaries and independently signing them, I am able to tell when one is having problems. Otherwise I am just left hoping and guessing.

Re:And no mention of encryption

[42forty-two42]

What's the point of installing from source instead of binaries if you get the same thing as everyone else [and check that that's the case]?

Re:And no mention of encryption

I must have done a bad job of explaining myself, but I will try again. Here is an example scenario using Debian. We will assume that the source code is already verified to be good and that is agreed on.

1) Debian compiles Mozilla. It gets an MD5sum of [whatever] for the main binary, an MD5sum of [something else] for the config file, on and on.

2) It adds all of those MD5sums to a file, PGP signs it, and puts it up on the download site.

Repeat steps 1 and 2 for many third parties, maybe SecurityFocus, maybe my next door neighbor.

3) I download the binaries Debian compiled, and the signed list of MD5sums. I also go to SecurityFocus's web site (and my neighbor's) to download their signed list of MD5sums.

4) I realise that while all of the PGP signatures check out, for some reason SecurityFocus and my neighbor got different MD5sums.

5) I alert Debian of this problem and they investigate the problem, rather than me just installing it because both the PGP and MD5 checksums checked out.

And that is the problem. If Debian gets hacked, but there are no third parties out there to compare against, we never notice.

I trust my mother to not kill me in the middle of the night. It would be impractical to try to protect myself from her, and ridiculous too. I simply trust her not to try and kill me.

Trust is good when it makes sense, but trusting Debian just for the warm fuzzies of saying you trust them makes no sense at all. They can be hacked (and have been, recently) just like anyone else, so I want third party verification of my binaries. PGP and MD5 are not magical. Just because they check out doesn't mean everything is OK. If the machine that did the PGP signing is hacked, it all goes out the window. That is why we need PGP with redundancy of third parties.

I am not saying end-users need to compile everything themselves, just that we shouldn't be relying on a single point of failure to do it for us.

OpenPKG

[chipster]

http://www.openpkg.org/

Why reinvent the wheel?

[El+Cubano]

APT already handles debs and rpms. tgzs should not be a far stretch. The problem is establishing standards and getting everyone to follow them. For example, all debs in the Debian archive follow the Debian packaging standard, else they would not be accepted into the archive.

Naturally, third parties are free to create their own non-conformant debs. This is just the same as someone creating an rpm for RH9, but it not conforming to the conventions used by Red Hat.

I assert that the tools already exist. I.e., we don't need a new one. The emphasis needs to be on getting people to follow the standards, and possibly creaitng a cross-dsitro standard fo everyone to follow.

Re:Why reinvent the wheel?

And..?

It seems to me that people running Debian are still those left out in the cold.. with the WORST system for managing dependencies in the world. In developing one opern source program the Debian users are the ones that have most of the problems.

I'm with Gentoo and portage.. it seems to handle all the packages and dependencies damn well imho.

Re:Why reinvent the wheel?

[xutopia]

apt isn't easy to use and isn't a desktop app.

Re:Why reinvent the wheel?

[Scarpux]

Then try Synaptic It's a desktop, graphical APT.

Re:Why reinvent the wheel?

[spacecowboy420]

WTF are you talking about! Apt is easy as hell, and if all else fails, you can use synaptic [gui interface]. I find it easier just to goto cl and type:
apt-get update && apt-get install 'package' how hard is that? Cron a weekly or nightly update and you don't even need to look at it except to install new stuff and you're always patched.

Only one easier is urpmi [for mandrake], which has an gui interface also availaible.

There are tools, maybe we need to just pick one and go with that. Apt works on multiple distros and the repositories can be os specific so it seems that we just need to freakin' use it more, instead of every distro coming up with their own [up2date, urpmi, apt-get - I'm sure I'm missing one]

Re:Why reinvent the wheel?

[jdreed1024]

I assert that the tools already exist. I.e., we don't need a new one. The emphasis needs to be on getting people to follow the standards, and possibly creaitng a cross-dsitro standard fo everyone to follow.

I totally agree with that. But I think there should be two options for a each distribution - the native one, and a cross platform one. For filesystem layout, cross-platform packages should assume that everything defined in FHS - Filesystem Hierarchy Standard (part of LSB). And the distributions should provide that, either by changing their native format to conform, or providing some sort of compatibility layer (symlinks, for example). So if you want to make a .rpm, good for you, but it'll only work on RedHat. If you want to make a new-fomat package, it'll work on all the major distros. Unfortunately, these debates seem to get mired down in flame wars about how apt is better than rpm, and .tgz is far superior to everything else, etc, etc.

Re:Why reinvent the wheel?

[brotherscrim]

Synaptic is easy to use and is a desktop app.

Re:Why reinvent the wheel?

[brotherscrim]

I use a Debian-based distro (Libranet), and my problems have been few and far between. They're non-existant now, thanks to the Libranet-safe repository.

Re:Why reinvent the wheel?

[sik0fewl]

Why reinvent the wheel?

Because as it stands some distros are using hexagonal wheels, heptagonal wheels and octagonal wheels. Glueing them together isn't gonna make them any more round.

I think a new standard (a *standard*) would be nice, even if it's heavily based on an existing package format.

The only way I can see this happening though is if some of the major distros (Redhat, SuSE, Debian, Mandrake, Slackware) get together and decide that there *should* be standard.

What are the odds of that though? Unfortunately, probably not very likely.

Until that time we'll have the glued together solution, which may turn out okay.. I guess we'll see.

Re:Why reinvent the wheel?

[Captn+Pepe]

Which is, of course, why projects like this never go anywhere. Because if you're going to require that every piece of software be repackaged anyway, to conform to your standard, there's no additional burden in packing them all in the same format. In which case, you've got the Debian project all over again, except that Debian has a ten-year head start and a lot more package maintainers in place.

Sure, there's scads of obscure software lying around out there in TGZs. But the fact that it's still a TGZ would seem to indicate that nobody has a burning interest in repackaging it.

Re:Why reinvent the wheel?

[Rysc]

Red hat has conventions?

Wow, what alternate universe have I fallen in to?

Re:Why reinvent the wheel?

[Daniel]

apt isn't easy to use

What, you can't trigger spontaneous library calls by starting fixedly at your computer, then squinting really hard and grunting? I thought everyone could do that! Although I guess I wouldn't call it easy...

Or, um, did you have a specific apt interface you were thinking of?

Daniel

Re:Why reinvent the wheel?

[Brandybuck]

Now that I've thought a bit on this problem, I wouldn't even worry about the FHS. Few actually adhere to it, and those that do liberally reinterpret to their advantage.

Instead, we need to make sure that packages do not contain any dependencies on the filesystem layout. Simple. Do you install KDE under /opt/kde, /usr, /usr/local, or /usr/local/kde? To the package it doesn't matter. The contents of the package are going to be marked as ${PREFIX}/share, ${PREFIX}/lib, etc. It's up to the system as to what PREFIX is. If there's an init script that must be placed in /etc or equivalent, mark as an init script, and the system can decide where to put it (/etc/rc.d instead of /etc/init.d). It doesn't matter if my system installs KDE to /opt/kde while another installs to /usr/local, as long as it remains consistant within my system.

The real bugaboo from the beginning of time has been how to identify dependencies. The traditional RPM way has been to use artifical labels, which breaks down if different systems use different labels, since "kdelibs-3.2_2.rpm is different from "kdelibs-3.2.0.rpm", even though the contents might be identical. This can be a real thorny problem when you're trying to make a package work across distros.

Re:Why reinvent the wheel?

[xutopia]

easy to use to me is double-clicking an icon that says "Setup". Sure you could explain harder ways to install things than apt-get is but I, like the parent story, talk about desktop, not console.

Re:Why reinvent the wheel?

[Daniel]

Ok, you were thinking about apt-get. I think you missed my point: apt is a suite of tools and libraries, and apt-get is only one frontend. Talking about "apt" being hard to use simply doesn't make sense; it's like saying that "libc is hard to use", or "ext2 is hard to use".

Non-console frontends to apt exist; for instance, synaptic is said to be good by people who have used it (ie, not me :-) ).

Daniel

Well then build it...

[codepunk]

All smoke and no fire... Don't talk about it just build it. Personally I think someone should sit down and hack together a install package builder program based on something like gdialog and python that outputs a executable compressed image into a single bin file.

A good installer is not hard to accomplish if the desire for it really exists. It is however one of the most overlooked things as open source programs are involved.

Don't make me go hunting down 20 dependency packages but offer to install them for me. A simple script based on wget can do that...

Re:Well then build it...

[QuiK_ChaoS]

Yes, and it's called Portage. Written in Python, and uses wget to retieve AND install ANY dependants. On the fly.

Re:Well then build it...

[SkunkPussy]

> Don't make me go hunting down 20 dependency packages but offer to install them for me.

c.f. apt, apt-get

Re:Well then build it...

[Captn+Pepe]

Don't talk about it just build it. Personally I think someone should sit down and hack together a install package builder program based on something like gdialog and python that outputs a executable compressed image into a single bin file.

Well, okay, if you insist.

#!/bin/sh

package=$1
deps=`dpkg -f $1 depends`
sudo apt-get install $deps
sudo dpkg -i $package

Now associate .deb files with that script, and you're good to go. Happy? (I'm sure a RedHat/SuSE/Gentoo user could devise similarly trivial solutions for their systems as well.) (The astute user will throw in a sed script as well to toss version specifier strings.)

Re:Well then build it...

[GigsVT]

I'm sure a RedHat/SuSE/Gentoo user could devise similarly trivial solutions for their systems as well.

Nope... On Red Hat at least, the dependancies are not given as the same name as the package.

Yes, it's really fucking annoying. Apt-rpm and up2date are a godsend.

Re:Well then build it...

[codepunk]

Yes I do agree with you and learned to love apt-get once I switched to a debian distro things became much easier....

Re:Well then build it...

[onemorehour]

+5 insightful? Here's a summary:

"All smoke and no fire... Don't talk about it just build it." ...proceeds to talk about it...

What makes this post any different than the original idea?

Unifying the Packages

[derphilipp]

Yeah !
Unify those packages.
I am so often confused the RedHat comes in a red box and SuSE in a green one. - Which of those should I buy ?
And Fedora comes with a box you have to fold yourself...

Oh you mean these packages....
(Fedora Linux is included in the RedHat magazine - which has a foldable page for creating a suitable box)

*BSD ports system?

Why not leverage from the BSD ports system? It already builds directly from source, checksumming the downloads to ensure security, and applies BSD-specific patches. Shouldn't be too difficult to grow this so that source patches and binary packages are platform-neutral.

ps: BSD trolls are dying!

Re:*BSD ports system?

checksumming the downloads to ensure security

Please tell me that the BSDs use more than just checksumming for security. Checksumming is like security through obscurity, but without the security. It gives you a false sense of security only. There is no reason at all to think that someone smart enough to add a trojan to a package would be stupid enough to not update the corresponding MD5sum.

Re:*BSD ports system?

Please tell me that the BSDs use more than just checksumming for security. Checksumming is like security through obscurity, but without the security. It gives you a false sense of security only. There is no reason at all to think that someone smart enough to add a trojan to a package would be stupid enough to not update the corresponding MD5sum.

Dummy, the MD5 isn't distributed with the package!!! If you use public key encryption, you could also say that "There is no reason at all to think that someone smart enough to add a trojan to a package would be stupid enough to not update the corresponding public key."

Re:*BSD ports system?

Dummy, the MD5 isn't distributed with the package!!!

Then please tell me how it is distributed, because this is very important.

"There is no reason at all to think that someone smart enough to add a trojan to a package would be stupid enough to not update the corresponding public key."

But the point of public key encryption is that you already have the public key on your computer (which got there from your cd when you installed), so all the attacker can try to do is generate a signature from a private key they don't have - a mathematical impossibility at this point in time. MD5 alone provides nothing at all like this.

Re:*BSD ports system?

[Hel+Toupee]

This is actually a very good idea. Seeing that, in the most generic case, installing software on most any open OS involves:
1.) Download source.
1a.) (not specifically necessary) verify it is correct and from a trusted party (PHP sig, whatnot)
2.) Apply disto-specific patches. (Yes, I am aware that BSD is not a Linux distro, but for this arguement, it fits the model)
3.) compile (using correct compiler switches for specific distro)
4.) install (again, there are some distro-specific things that go here)

All other installation methods (package systems) Just try to make these steps simpler, or transparent to the end user. To follow these steps automatically, either the software developers, or maintaners of the installer program, would have to cobble a distro-specific script together for all distros (that they want to support) for each OSS project out there. This seems like a herculean task, but quite a bit of this information is out there; the problem is there needs to be a centralized repository for it. I propose partnering with a site that archives this information already, and is widely used by the community regardless of the distro they have (I am a BSD geek, so I don't know, but sourceforge seems to fit this bill). Now, the OSS writers will "release" a packaged version of their software to this centralized distribution system by TARring up the source, and supplying a patch and install script to the system for any distro they care to support. If your (as a user) distro is not supported, you are VERY encouraged to supply the patch and install scripts (usually fairly trivial to write) to the system. The client part would then log in to the central server, and through the magic of PHP, be presented with a distro-specific download page where a single click will d/l the source, appropriate patches, scripts, etc. and install. The script that coordinates all the d/l and install would not be distro-specific, because all distros install software (at the most generic level) the same way. You could even encorporate a bittorrent like d/l mechanism to speed up the d/l of more popular apps. (security through encryption comes in here).

Re:*BSD ports system?

[Ian+Bicking]

I don't really think the BSD ports system has anything on Debian. It's a nice system and all, but Debian is larger and (IMHO) more reliable and usable. Gentoo is similar to BSD, but Debian lets me get stuff done without worrying about source code or compilation at all. (I'm a programmer, but the only source code I want to think about is the code I'm working on)

Re:*BSD ports system?

[Ian+Bicking]

BTW, if someone has a cool feature that Ports handle that Debian doesn't, I'm all ears. Or a sticky situation that Ports resolve where Debian can't. Just don't obsess over architecture-specific compiler flags and optimizations, please -- for almost all applications I use, even just ten minutes of my time isn't worth a 5% boost in performance.

Re:*BSD ports system?

[lcde]

I'm pretty sure there is a switch to make sure *BSD looks into the prebuilt reposatory before it decides to build a port.

Re:*BSD ports system?

[sremick]

I'm not a programmer, but I think about the source code all the time.

First of all, it's great for slow connections. It's quicker to download source than binaries. Also, I don't like someone else deciding what compile-time options I want. Or compiling something for the lowest-common-denominator instead of letting my system compile it specifically to run best on my CPU, and linked to the proper library locations.

Then there are the packages compiled for GTK1 when I'd want GTK2, or compiled without anti-aliasing enabled when I personally want it (OO comes to mind). Or tons of other options. By compiling stuff myself, I get the software built the way *I* want.

Choice. It's the reason I switched to FreeBSD from Windows in the first place.

Re:*BSD ports system?

[sremick]

Actually, it's the other way around: you can set a flag to have FreeBSD use a package (precompiled binary) if its available. I'm sure it's possible to set this to be the default, but it doesn't come set that way.

Re:*BSD ports system?

[Mr.Ned]

Gentoo has brought a ports-like system to Linux. It is difficult to make packages from this system platform-neutral - glibc versions, gcc versions, and all that.

Re:*BSD ports system?

[ruhk]

You can't tell the penguins anything: you must give them time to learn. Eventually they'll get tired of fighting with packaging systems that have to grok filesystem layouts that are moving targets. They need to standardize the hierarchy and then they can start trying to standardize the package manager.

Of course, once they do this, they'll have reinvented the ports system and its accompanying package management system.

Re:*BSD ports system?

Wow. An hour goes by and nobody knows how BSD gets the MD5 checksums it uses to verify packages. I am not familiar with BSD, so I hope somebody else who is can fill in the blanks.

If BSD simply downloads the MD5sums from a different site than the package, that is insecure. If it downloads a list of MD5sums for the different packages, and that list is PGP signed, then there is some decent security.

Re:*BSD ports system?

Great, a BSD zealot. Maybe you can help me. I am trying to understand the security of the ports system. Where does it get the MD5 checksums it uses to verify packages? Is public key encryption involved? If so, how?

Re:*BSD ports system?

[SkunkPussy]

> Just don't obsess over architecture-specific compiler flags and optimizations, please -- for almost all applications I use, even just ten minutes of my time isn't worth a 5% boost in performance.

This is it - if we were talking a 40% performance boost, it would be a different story and I would compile everything from source, but as it is I don't reckon you can even tell the difference in a 5% or 10% performance increase anyway.

Re:*BSD ports system?

Jeez... everyone's posting AC, so not like you get notification of a reply, eh? The MD5 checksums are downloaded when you do a cvsup on the ports tree. It is possible to do secure CVS over ssh, though I'm not sure if this is implemented for the ports update. ssh, of course, will use public key encryption to verify the connection is trusted. This doesn't necessarily guarantee that the files being downloaded haven't been tampered with, and if there's currently no provision in place for this, it would make an excellent suggestion.

Part of the issue is that each port in the ports tree is maintained by separate people. So there isn't one central authority which has the resources to independently verify the integrity of each port. I'm mostly talking out of my ass here, as I'm fairly new to BSD but that's kind of an overview as I understand it.

Re:*BSD ports system?

[Daniel]

Hm, so you're saying I can, eg, install FreeBSD packages on NetBSD?

Daniel

Re:*BSD ports system?

[Brandybuck]

Debian lets me get stuff done without worrying about source code or compilation at all.

You do know, don't you, that BSD ports is also the basis for BSD packages? You don't need to compile anything at all. Just use the packages and they'll fit into the same system!

Re:*BSD ports system?

[Brandybuck]

Instead of FreeBSD ports (which I love by the way), I think it would be more appropriate for Linux distros to get behind the OpenPackages project. It's goal is already to provide an OS-neutral ports tree. It seems to be languishing as a project, but the intention is still worthwhile.

Re:*BSD ports system?

[tfoss]

OK.

-Ted

0Install

[Sanity]

What about 0-Install? It is simple, elegant, doesn't require root to do an installation, seamlessly downloads libraries and other dependancies as they are needed, and integrates nicely into the filesystem. I really think 0Install could be the future of installers, if only they can get someone to build a distro around it.

Re:0Install

[Lumpy]

seamlessly downloads libraries and other dependancies as they are needed,
and that is 100% unacceptable.

over 70% of the planet does not have boradband. so having to install something requires an automated download and install of another 5-30 packages?

Over a modem this can take days if not weeks. whereas I get the latest copy of dan's funky tools for windows and it installs without the need to connect to sourceforge to download beta versionos of libXYZ, connect to perl.org to download and install another package, and then go trodding off to deal with more deps that the other deps have created.

link your app statically, or include all your depedancies in your package. that is the only solution to this problem.

Re:0Install

[Daniel]

over 70% of the planet does not have boradband

[snip]

link your app statically, or include all your depedancies in your package. that is the only solution to this problem.

Um, you realize that both of those options basically mean "send all your dependencies with the package"...which doesn't decrease the download time at all? Particularly if more than one program does it? (you can end up installing 50 copies of part of libXYZ.a instead of one shared copy)

Daniel

Re:0Install

actually it only downloads them once, so if you already have them cached from a previous download or available already it won't need to download them. so, like windows, if you already have the libs you won't need to download them.

Re:0Install

[Lumpy]

you are right, but little steve over in the corner can get a CD handed to him of the package (Kinda like me handing out copies of OO.o 1.1 last LUG meeting and they can go home and install it without any problems or show stoppers... (like OO.o and mozilla)

those that dont have broadband wont be downloading it in the forst place, they will be getting it off the linuxformat CD, LUG members, friends.

Re:0Install

[dremspider]

That is also possible with apt-get. If the developer includes the necessarry dependancy then their is no need to go out to the internet. Your argument makes NO sense at all. If anything dial up users should rejoice. If you d/l a game for windows you are often d/ling the game + directx and a bunch of other dependancies, even if you already have the newest directX and don't need it. It is a waste of your broadband. It always amazes me that SuSE can install a TON of apps in a little over 1 gig. SuSE out of the box does more than windows does and it takes almost the same amount of space, start installing programs and you realize your windows partition takes a lot more space to accomplish the same thing.

Personally I apt-get everything, and it is never that painful, 20 megs to update KDE to 3.2, that is acceptable on dial up. I used to d/l 650 meg ISOs on dialup.

User Linux benefiting?

Hm, at first this sounded like a good idea, but with Perens involved you probably won't be able to install any qt related software with it.

Mirror?

[MisterTut]

Anyone got a mirror?

Re:Mirror?

Sure, I've got one in my bathroom. Why?

Site has been slashdottet

Can someone provide mirror or text here.

Gentoo Portage is closer than anything.

[QuiK_ChaoS]

I would jump on the Portage bandwagon, and continue with that effort. There already a couple projects working toward cross-distro compatibily, for instance Emerde.
Portage has the ability to install RPM's on a Gentoo system. While not as easy as emerging from the source, it has a very wide horizon ahead of it. I am not sure aobut Portage using DEB's though.

Re:Gentoo Portage is closer than anything.

[hyperstation]

it's being worked on under solaris as well...

http://forums.gentoo.org/viewtopic.php?t=113387

Re:Gentoo Portage is closer than anything.

[nacturation]

There already a couple projects working toward cross-distro compatibily, for instance Emerde [freshmeat.net].

At first I thought that was a typo... that's it's called Emerge or something. But no, it really is named Eshit ("merde" is French for "shit"). Weird Gentoo people. ;-)

Alien?

[phorm]

Well, for conversion from RPM to DEB (and supposedly the other way around), alien has worked quite well for me (apt-get install alien). Thus far I've managed to convert+install several RPM's that otherwise would not have worked very well on my debian system.

TGZ is a package format

[hey]

It doesn't have any metadata like what other packages this package requires, etc. Its fine
for what it is but it ain't no package format.

Re:TGZ is a package format

TGZ is a package format
see www.slackware.com :)

Re:TGZ is a package format

[panda]

It is when used on Slackware. Slackware packages add the metadata in a specially named file in the archive, very much like a Java JAR manifest. (A JAR is bascially just a .zip with a manifest.)

When you use pkgtool to install from the tgz file, the package database is updated with info about the package that you just installed. It can also check for dependencies, etc.

Re:TGZ is a package format

[Alan+Hicks]

It doesn't have any metadata like what other packages this package requires, etc. Its fine for what it is but it ain't no package format.

I'm afraid you're incorrect. Slackware's TGZ is a package format. It contains compressed binaries that are unloaded in predetermined locations, includes an executable script that ensures everything goes correctly, and cleans up after itself. If you're looking for dependency checking though, you won't find it.

Why you ask? Because dependency checking is your job as the sysadmin. It is plain irresponsible for a package manager to update core system libraries that other key programs rely upon. Any package manager that thinks it is smarter than you is dangerous.

RPMs and Portage do not handle dependencies responsibly IMO (I can't speak for DEBs having not used them). RPM bitches and moans if I try to install lynx on a machine that doesn't have X. Portage wants to download and compile GTK just to install vi. Things like this are plain ridiculous, and are more than enough reason not to bother with package managers that do dependency checking. When you have to use options like --no-deps or --force, why are you even bothering to use a package manager at all?

At least with Slackware TGZs, you're pretty much garaunteed that they are well thought out, and not built to have a lot of dependencies. RPMs and Portage rely on their ability to resolve dependencies far too much, and wind up requiring major system upgrades just to install basic utilities. No thank you. If I install a TGZ and the binary won't run for a lack of a library, I just install that library from another TGZ, and I'm done. None of this package A requires package B which requires package C which requires package A.

Re:TGZ is a package format

[gebner]

> RPM bitches and moans if I try to install lynx on a machine that doesn't have X.

That's the fault of the pkg maintainer, not the pkg sys.

> Portage wants to download and compile GTK just to install vi.

Nonsense. Have you ever used portage?
app-editors/vi doesn't even depend on gtk...

You probably mean that some package vi depends on depends on gtk. If you don't want that you can still set USE="-gtk -gtk2 -X -gnome".

Re:TGZ is a package format

[hey]

OK, I admit I am wrong.
I learned something today.
Maybe they should use different file extension
like JAR.

Re:TGZ is a package format

[parksie]

The reason you ended up needing GTK for vi, is that you had it enabled in your USE flags, hence it tried to install gvim, which requires GTK.

Re:TGZ is a package format

[Lacutis]

"Portage wants to download and compile GTK just to install vi."

If you aren't using GTK on your system you aren't handling your USE options correctly.

If you don't use GTK add -gtk to your USE variable in your /etc/make.conf and portage will not try to install it.

Same with the almost 2 dozen other USE options.

What we all need ...

[phoxix]

Something like debian's debconf. But much more powerful and versatile

Essentially there would be some glue between the package management system, the "configurator", and the actual config file.

RPM/DPKG/ETC <--> Glue <--> /etc/sysconfig/foobar

Sunny Dubey

My dad asked me about Linux the other day

He asked, "Do you use the penguin one or the lizard one?"

Re:Package managers are so 1988

[andalay]

You should do ClickOnce, you GNU hippies

Uh yeah, its called XUL

Pretty cool eh?

Doubtful...

Package management is broken badly enough as it is in any single distro that adheres to one single packagement management solution. I don't see how adding more broken methods is going to help matters. RPM hell is bad enough. Let alone inconsistancies between RPM hell, .deb hell, and tgz/source which doesn't even check to make sure it's sane to install a package.

FreeBSD ports collection

[stan7826]

Sounds like everyone is looking for something like the FreeBSD ports collection.

Re:FreeBSD ports collection

[ichimunki]

Not unless that has a handy GUI associated with it. What a mess!

Re:FreeBSD ports collection

[Atzanteol]

I've never used Gentoo, but i kinda doubt it.

Yeah? We'll I've never used FreeBSD's ports, and I bet it *really* sucks! In fact, as far as I'm guessing, I bet it's the *worst* package manager in the world!

Actually, I've used FreeBSD's ports. And I do like portage more (easier to remove packages, upgrade, and a few other things). Upgrading ports is a nightmare...

Re:FreeBSD ports collection

[gtrubetskoy]

Some say that there's no need to compile the ports, and they should be all binary, but oh well. There are benefits to binary-package installation.

Don't confuse the FreeBSD ports with a packaging system. FreeBSD has its own nice packaging system. (If you've used Solaris a lot you'll feel right at home) The FreeBSD ports all create and install packages for you "behind the scenes", and you can install any package as binary on FreeBSD as simply as:

# pkg_add ftp://ftp2.freebsd.org/pub/FreeBSD/releases/i386/5 .2-RELEASE/packages/archivers/rpm-3.0.6_8.tbz

Re:FreeBSD ports collection

[pyros]

I will however say that in my experience RPM's are a poorly implemented packaging system. I'm sure plenty will mod me as a Troll or Flamebait, and other's who've never used a linux outside of RH or MDK will pipe up extolling the beneifts of RPMs and i'm just a stupid, lazy fsck, blah blah.....

I'm not going to call you a troll. But I am going to assume you dislike the RPM format due to the dependency-hell problems of the past, if that's not why you dislike it, then feel free to ignore the rest of my post, except the PS. The problem is that many distro maintainers selected the RPM format (Red Hat, Mandrake, Suse, Ark, even the LSB chose RPM as the standard format), and then packaged software with conflicting package names and file system layouts. So you go looking for an RPM for Red Hat, and find one from Suse, and it says it needs xfree86 3.0.3, even though you have XFree86 3.0.3 installed. Or perhaps it needs some particular .so to be in /usr/lib but the Red Hat package owning that file put it in /usr/lib/ssl.

These aren't flaws in the RPM format, these are the problems this project aims to fix. You would see the same problem with dpkg if there were as many popular distributions which used dpkg but didn't base themselves off of debian's repositories.

The other complaint commonly made is that apt is better. Apt needs a tool like rpm or dpkg behind to actually be useful. Apt is purely that part of the system that locates dependencies, like the part of portage that knows to build and install X before building and installing GNOME. It doesn't actually install the package or maintain the database of installed software. Apt also runs very nicely on RedHat. Connectiva and Ark use it as the default system. Mandrake and Suse implement their own dependency tracking system.

PS - In addition to Red Hat and Mandrake, I've also tried FreeBSD (years ago, didn't support all the hardware needed to install), Debian, Suse, Ark, and Slackware.

Re:FreeBSD ports collection

[pgr0ss]

Or, even easier: pkg_add -r rpm

Re:FreeBSD ports collection

What's so much of a nightmare about upgrading ports? A single CVS command too much for ya?

I mean, honestly, you could put that CVS command in your crontab, and have it upgraded automatically as often as you like. Weekly works quite nicely too.

A simple make command from whatever port directory, and maybe a little while to download and build those packages, and all of their dependencies, voila.

It can't get much easier. It would be quite simple to make a gui frontend for it (just like the Linux kernel configurator), too. Except that it's so simple already that anyone with a little bit of command line experience and a little knowledge of the ports tree can make this stuff work damn easily already.

Re:FreeBSD ports collection

[Atzanteol]

You've just described 'portage' as well. However, I'm not talking about updating the ports tree, I'm talking about upgrading installed packages. The best I've found is 'portupgrade', but I *always* get a ton of 'this package invalidates that' or 'obsolete' dependencies.

Re:FreeBSD ports collection

[dasunt]

Don't confuse the FreeBSD ports with a packaging system. FreeBSD has its own nice packaging system.

OpenBSD also has a very similiar package system (using pkg_add, and modified tarballs). According to the OpenBSD FAQ, the goal is not ports, but binary packages.

Unfortunately, updates to the core OpenBSD OS is by source. :(

Re:FreeBSD ports collection

[gtrubetskoy]

Or, even easier: pkg_add -r rpm

Why in the world was this moderated as "funny"?

Re:FreeBSD ports collection

[Kalak]

Yum (included in Fedora) and apt with RPMs make an excellent combination. I find apt to be about the same as this combination, but less intuitive for me.

From the Yum page: Yum is an automatic updater and package installer/remover for rpm systems. It automatically computes dependencies and figures out what things should occur to install packages. It makes it easier to maintain groups of machines without having to manually update each one using rpm.

Try it in ferdora - it's delicious

Combined with such repositories as ATrpms and FreshRPMS and I can find and install about any software title I'm looking for and have the dependencies installed easily.

Re:FreeBSD ports collection

[Tukla]

Or Debian's collection, or Gentoo's collection, or Fink's collection.

An idea

[stm2]

How about: An exe file named "setup" or "install"? Then you double-click on it, a wizard prompt, just clik OK about 3 times and done!.
Is that hard?

Re:An idea

Unfortuitly yes otherwise somebody would have done it by now. There have been inrods like the loki installer but that only worked becocase lots of libs were either shipped with or staticly compiled into their apps and games, other then some prety basic stuff they could count on for the most part like glibc. So for packages in general you need some way to tell what is on the system wether that be /var/adm/packages in slackware or the rpm database/deb databases or other, to see what is installed, this is different for the different distors. After that you have to deal with distro specific patches applied to some libs on certain distros so binaries are pretty much out. So you installer has to build for source which means compilers have to be avalible assuming they are: now you need to know the file system layout for the distro you are installing on which changes sometimes release to releas and there are lots of distors out there. Really your installer will end up having to be more complex then the program you are installing half the time. Which is why most have opted to live with the status quo, binary packages are distro and version specific, you need to build them for each, or just release source, expecting end-users to pass reasonable options to to automakes configure at compile time. Really automake is a pretty good solution but you still have to write makefiles.

Re:An idea

[ShecoDu]

yeah, it's pretty simple to install things on windows... but uninstalling them is a pain, each app uses a unique uninstaller, which doesnt even uninstall everything most of the time, you dont always know what's beeing installed and whether it has modules (other packages) or not, stuff like that.

A package management system is so the admin can easily manage the packages, not just install them, but review them, upgrade them and stuff... windows apps are getting kind of bloated, each app has its own upgrade system, when the package manager could do the job.

sorry.

Re:An idea

[Lehk228]

bad enough that windows allows executable installers, Installation of an application should be carried out by the OS reading a (Human Readable!)script file, for windows looking perhapse like

[beginAddReg]
hkey\localmachine\....
...
...
[endAddReg]
[beginMoveFiles]
package:newprogramname\*.*
system:%programDirectory%\newprogramname;
package:integration\*.*
system:%system%\;
[endMoveFiles]
[beginRequestSettings]
startOnBoot;
systemDriver;
[endRequestSettings]

Re:An idea

Easy for the user, but now you have to package a copy of every library you depend on, or else point the user to where to get the library you depend on. And of course you have to check for conflicts between libraries and...

Do you know how long it took for Windows' installation scheme to get to where it is now? Do you know how often it STILL fails? Package installation is not easy to handle, especially when you have systems as diverse as the various Linux distros. Creating Windows installation packages is easier because you have some reasonable expectations of what will be on the system. Not so with Linux. About the only thing you can be sure of with Linux is the kernel, and even that may or may not have certain features compiled in.

So frankly, I don't see the point of making a cross-distro package installer. With all the variety in Linux systems it's just too difficult. Make a nice one-click installer for your own distro, but save yourself the trouble and forget about making it work for everything.

Or...skip the idea of packages at all and put a nice interface on 'configure;make'.

Re:An idea

[TheRaven64]

How about a .app bundle that you drag to your /Applications folder? How about letting it contain binaries for multiple platforms / CPU architectures. Oh, wait, NeXT/OPEN/GNUStep and OS X have had these for years.

Re:An idea

yes. that's about three clicks too many.

forget this building stuff

[Savatte]

just wear an atheletic supporter and forget...oh. This was under the linux topic. nevermind.

So Yesterday....

[Hornsby]

Don't they know that it's MozillaFirefox and not MozillaFirebird. This installer obviously isn't going to be able to keep up to date.

Learn from Apple

[Octos]

Maybe Apple can do this because they have a standardized directory structure, but what can be easier than dragging an app package to the Applications folder? Poof, it's installed. Don't like it? Delete it. If it's more complex, there's an installer program. Playing with dependencies and makefiles is the reason I gave up on Linux.

Re:Learn from Apple

Poof, it's installed.

Very true. 99.9% of all Mac users are indeed poofs.

Re:Learn from Apple

The Linux package managers are already far beyond this model. Because it's not proprietary you can set it up so that the package repositories are all online. Thus you don't even need to do the initial manual installation. For example, you could just put a bunch of stubs in the 'run' menu that install the package the first time you try to execute it. You can do the 1 click installation like Lindows. And you can do Synoptic where you simply pop open a package browser and select the ones you like.

Michael

Re:Learn from Apple

[TheRaven64]

Umm, proprietary? The .app framework specification is documented, and is based on the OPENSTEP bundle specification supported by GNUStep. You can even put binaries for multiple CPU and OS combinations in the same .app, so you just need to create a single bundle and can run it on any supported platform.

Re:Learn from Apple

[DenOfEarth]

I agree. I've never used Apples too much, but when I got a bit of software from someone and took it to my buddies place to use on his computer, I just had to copy the directory into the applications dir. It worked great, right away. It's a good idea for more than that, as you can insist every application maintains its own configuration files and directories, and leave the /etc (does OS X have one of those) for operating system only stuff.

cool indeed.

Re:Learn from Apple

[Jagasian]

Are you joking? Linux has had sophisticated package management systems for years now. apt lets you install, remove, and update software with great ease. Dependencies aren't an issue and haven't been for a long time.

Re:Learn from Apple

[Kethinov]

That works great for binaries, but you can't exactly take a .tgz or a tar.gz, decompress it, pop it into the apps folder, and expect it to run (unless it's a scripting language which runs through an interpreter). We do need Mac-style "slap it in a directory and run it" for binaries, but not every software author gives us binaries so we should create a program like the MSI installers which compiles them then slaps the freshly cooked binaries into the happy little apps directory. Wouldn't it be nice to double click a .tgz or a tar.gz and have some program launch that automatically detects if its something that can be compiled into a binary and launches a happy pointy clicky install diolog that asks you where you want it to be put then compiles it?

This kind of system could work if there was a packaging-nuetral distro. As it stands Gentoo is portage-only, Debian is apt-only, Redhat is rpm-only (though you can use apt now I hear). A truly packaging-nuetral distro would include support for everything from source/makefiles to ebuilds to rpms to debs to striaght binaries. EVERYTHING. And it would have a pretty GUI for it like Windows add/remove. And it would have an installer just as good as Fedora's. There are plenty of package managers attempting this but we need a distro to standardize it and make it user frieindly. End user doesn't care if he's installing with an ebuild or an rpm so long as it doesn't take much effort.

Re:Learn from Apple

[kinnell]

Maybe Apple can do this because they have a standardized directory structure, but what can be easier than dragging an app package to the Applications folder?

The Apple way rocks, the directory structure doesn't matter: you can execute any properly written application from anywhere. There are 2 problems with this in linux. Firstly, most applications are written with full path names in the code for files they reference. Secondly, linux applications are built around a wide range of supporting libraries, few of which are standard to all distributions - this means either huge packages, or a dependency resolution mechanism, like apt.

A linux distribution which wanted to do this would have to firstly pick a core set of standard libraries, then port all the applications they wanted to support.

Re:Learn from Apple

[IamTheRealMike]

Maybe Apple can do this because they have a standardized directory structure

Nope, they can do it because they have a standardised platform. All MacOS X apps have at least one implicit dependency - on some version of MacOS. That one dependency is very easy (well, assuming you are rich) to satisfy, but it gives you a whole pile of functionality.

Because desktop Linux is evolving at such a rapid rate, and because nobody controls it, and because people like being able to control what's on their system to a fine degree, we have no such platform currently.

Unfortunately the first attempts at such a platform foundered when KDE made the bum choice of using a toolkit with a problematic license, so Gnome was started in reaction and now we have two, with neither being widely spread. The Gnome guys are busy moving infrastructure out into non-Gnome libraries like GTK, Cairo, DBUS etc that are explicitly designed to be acceptable to everybody, but unfortunately the KDE guys are still having big internal arguments about whether freedesktop.org (the new attempt) is "forcing" things upon them (see the discussions at kdedevelopers.org)

This is unfortunate because a standard platform that you could depend upon with only one dependency would go a long way towards making software on Linux easier to install.

Re:Learn from Apple

[Mistshadow2k4]

Sometimes it still is. I've seen "such-and-such depends such-and-such but is not going to be installed" about 30 times or so. There's also the times apt wants to uninstall 300 packages to install 14. This was on Debian. Obviously, you've been lucky.

Now I use yum on RH. The only error it's ever given me is occasionally it can't find a package I want. Otherwise it works perfectly.

Re:Learn from Apple

[xutopia]

depends what you mean by sophisticated. I have not been able to install something yet without having to type something. And I still have no idea where the icons are for new apps and how to put them in my Applications panel. Mac takes care of all of this. It does it the other way around. You install a package by choosing where you want it to be and voila you have your installed app.

Re:Learn from Apple

[TioHoltzman]

Actually the apple way doesn't work on just a single file. What you see on the Desktop or the Application's folds as an app icon for a binary, is in fact a special folder, with an extremely rigid and well documented layout (see here for more information)

So when people talk about moving, or dragging and dropping, or copying an app from one machine to another, or from one folder to another, what they are in fact doing is moving a whole directory tree, with the binary inside of it (as well as other files).

Typically when you are ready to distribute your app, you do the equivalent of create a tgz file from the top level app folder. Your comment "take a .tgz or a tar.gz, decompress it, pop it into the apps folder, and expect it to run" is exactly what you do on OSX!

Re:Learn from Apple

[Kethinov]

Your comment "take a .tgz or a tar.gz, decompress it, pop it into the apps folder, and expect it to run" is exactly what you do on OSX!

I was referring to source. If it's not a compiled binary, it won't run.

Re:Learn from Apple

[phre4k]

Secondly, linux applications are built around a wide range of supporting libraries, few of which are standard to all distributions - this means either huge packages, or a dependency resolution mechanism, like apt.

You are right about that. What i was wondering is how huge a package will be if it included some of the more uncommon libs. I understand it is a fine balance, but i just feel that many applications could do a better job. Take xmltv for an example. It depends on some 15 perl modules, which the user has to install from CPAN. Last i tried to install xmltv one of the libs was broken and wouldn't install, which means i still don't have xmltv.

A perl module is just a few Kb and the only excude not to include it is lazyness. I understand the developers reason not to include the libs though. Most of the oss developers work in their spare time, and are motived primarily by their own needs and can actually completely disregard others users needs.

Re:Learn from Apple

[archivis]

Go look at the Rox Filer and AppDirs to see how this can be implemented - source building "itself" upon need.

Re:Learn from Apple

[javabsp]

> depends what you mean by sophisticated. I have not
> been able to install something yet without having
> to type something. And I still

synaptic

> have no idea where the icons are for new apps and
> how to put them in my Applications panel

This doesn't really have a lot to do with package management. If your desktop environment and the program you are installing follows the freedesktop .desktop file standard, it already Just Works.

idea?

[kc0re]

Hey, a Linux idea that actually makes sense. Standarize everything! the MICROSOFT way!

Package management woes

[OmniVector]

Me and my friend had a long discussion about this last night. My conclusion was that as long as linux has 5 competing packaging formats. FreeBSD is a perfect example of a community united.

however i'm under the firm belief that linux will always be a fragmented mess, and the only reason BSD is so united is because of it's commercial liscensing.

a man can dream though. i'd like to stop having to worry about redhat-rpms, mandrake-rpms, debs, ebuilds, and tar.gzs and boy am i sick of compiling from source.

Re:Package management woes

>>My conclusion was that as long as linux has 5 competing packaging formats.

Don't leave us hanging, what was your conclusion? "as long as linux has 5 competing packagin formats" ... WHAT? There is no conclusion here.

See kids, this is why English class is so important.

Re:Package management woes

Ahhhh, Preview is your friend! I've done the same thing, so I shouldn't nitpick.

Still I bet a "Jump to Conclusions" mat would have helped in this case.

Re:Package management woes

[gtrubetskoy]

the only reason BSD is so united is because of it's commercial liscensing

What commercial licensing? The FreeBSD license is considerably less restrictive than Linux's. (OK, we're getting off-topic now...)

Re:Package management woes

[autechre]

Sure, FreeBSD may be a great example of a community united. So is the Debian project. However, the 3 BSDs are at least as fragmented and war-torn as the Linux distributions. Actually, I don't see any "I hate you so I'm forking the Linux distribution" examples on the Linux side. But the BSDs and Linux distributions help each other out, too.

I don't have to worry about all of those package formats. If it's not in the Debian APT repository, and no one has provided an APT source or .deb (uncommon to see without an APT source these days), I build it from source. I have had to do this only a few times in several years.

You don't have to worry about all of those package formats. If it's not in the ports tree, you build it from source. I'm not seeing the difference.

As for commercial support, it seems to me that a company is most likely to support something on Red Hat Linux. Not the other distributions, but not FreeBSD either. So you either figure out a way to get it to work, or you play their game and set up one Red Hat server. Part of the cost of using the commercial software; hey, you wanted it. If the commercial app you need to do your job only runs on Windows, you use Windows or you find a workaround (emulation, replacement program, etc.)

Re:Package management woes

[liquidsin]

Off the top of my head, Sorcerer Linux forked over something along the lines of "I hate you so I'm forking off" (pun intended) and ended up with *three* projects - Sorcerer, Lunar Linux, and Source Mage. Also, have a look at IPCop, a fork of the SmoothWall firewall distro. I'm sure there are probably others, but those were the first two to come to mind.

Isn't this what alien does?

[Timbo]

alien

Good theory, poor practice

[arrianus]

The theory is fine. The problem is that package managers are, in many ways, incompatible. Debian packages, for instance, track dependencies based on the names of other Debian packages (libfoobaz-dev requires libfoobaz). I've seen package management systems that have dependencies based on files (libfoobaz-dev requires /usr/lib/libfoobaz.so). The former system won't recognize dependencies from packages installed in the latter format. Worse, the packages don't overlap. One distribution will have libgnome, whereas another will have 50 different packages, one for each of the Gnome libraries. The problem of dependencies there breaks almost completely.

There's also a matter of versions and security updates. On Debian, I run 'apt-get update; apt-get upgrade' and have a new version. Since the packages are all maintained by the Debian project (and a few smaller projects that target Debian), this works. Versions aren't linear -- Debian back-ports security fixes. The package manager has no way of knowing whether kernel-2.4.24 is newer than kernel-2.4.19-with-patches.

Basically, there is no clean way to install .rpm packages on a .deb system, or vica-versa, without breaking something. It is possible to install packages of one sort on the other system, but eventually, things will break. Each package management system relies on some set of information about packages to work, and each system has a different set of information it provides and needs.

There is room for improvement in package management -- a really good GUI for finding and installing packages would be nice. I wouldn't mind having more information about the packages I'm about to install -- links to project web pages, ability to browse installed files (the packages.debian.org/freshmeat.net/etc. databases either installed locally or quickly accessable from the system), the ability to view screenshots of GUI programs, etc. There's a lot of metainformation that could be added, and better search functionality that could be implemented.

At the same time, on the package build side, it'd be pretty simple to have a system where you make a configuration file of information about the package, and it builds .deb, .rpm, .tgz, etc. packages, and give easy-to-read information about what systems it'll work on. I've heard of tools similar to this, but I haven't seen them used. Adding something like this to the standard autoconf/automake/... process would certainly be nice.

The last solution is to have the groups work together to make sure all packages have the same set of metainformation (more than is needed for any given package system), so that cross-platform package installs become possible. In practice, I don't see this scaling across versions, as package management systems evolve.

One more thing to bear in mind is the perspective of the author of the article -- he says he runs Slackware, and builds most packages from source (something I've stopped doing maybe 3-5 years ago). Slackware's package management tools are very basic, manual, and crude. That gives a very different attitude towards package management than someone running a distribution like Red Hat, which has a much heavier-weight, more technologically-advanced, but somewhat fragile, somewhat inflexible package management system, or a user of Debian, which has a state-of-the-art ubermaintainable, uberupgradeable package management system, but that primarily relies on grabbing packages from one (or a small number) of sources. I apologize about the stereotypes in this paragraph -- they're not entirely true, but the package management systems differ a lot (more than most people realize, if you've ever tried to build the packages), and I'm just trying to make people aware that users of each of them will have a very different world view, and it's important to keep that in mind when reading these articles.

Re:Good theory, poor practice

Exactly. Packaging systems differ in the policies they implement. The file format is no big deal; the policy of what goes where and how it's configured are huge. Look at the extensive, public Debian policies. I'm sure Mandrake, RedHat, et al. have internal policies (maybe public, I don't know). Even just compiling the programs is no big deal; most packaging work is ensuring that the package plays nice with others.

Re:This is Tuesday, isn't it?

[Deraj+DeZine]

I have to "manage" my package several times a day!!!

Did you even READ the name of the project I referenced? It's called Autopackage. It takes care of that for you.

Re:Package managers are so 1988

Oh yeah and the only application that supports it is some super cool framework on SourceForge in 0.01 Beta.

I've got a much better idea.

[Doktor+Memory]

Let's see if we can actually go for six months without somebody announcing Yet Another Binary Package Management System or Meta-System. That would actually be newsworthy.

The amount of time and money that's been wasted on this problem for over twenty years in the unix world is just mind-boggling. We really do not need to reinvent this wheel again.

Re:I've got a much better idea.

[amb1guous]

Yes, because apparently the wheel we have now has 4 corners.

Re:I've got a much better idea.

[metamatic]

Yes, but think of all the wonderful square, triangular and pentagonal wheels we've gotten as a result of those efforts.

Re:I've got a much better idea.

The amount of time and money that's been wasted on this problem for over twenty years in the unix world is just mind-boggling. We really do not need to reinvent this wheel again.

the difference, of course, is that today we have people interested in using unix in non academic or scientific places, like the home and office.

for example, i think gentoo is awesome, but i'm also a geek. i don't think the casual user (and it is really only now and for the future that this becomes important) wants to deal with that.

KDE + Gnome

[G3ckoG33k]

Yes, I know, this might be considered offtopic, but...

If we get KDE and Gnome work together, then we might also, eventually get an installer too!!! :)

PLEASE!!!

Let KDE 4.0 and Gnome 3.0 be the same!!!

Re:KDE + Gnome

Who mods this crap insightful?

Anyway, see here:

http://www.freedesktop.org

It's not about making KDE and GNOME "be the same", but rather about having them adopt common standards.

Re:KDE + Gnome

Let KDE 4.0 and Gnome 3.0 be the same!!!

Hereby I pronounce KDE 4.0 and Gnome 3.0 to be the same.

Ok, did not work. Let's try something easier:

Let's be the light...

Re:KDE + Gnome

kde, gnome... Who cares? I'll stick with fvwm.

Re:KDE + Gnome

its not possible to merge em (c and c++(or, its a too big job)) but its possible to work out the standards as best as we can.
Why isnt any existing sites like slashdot but about standards? Good ideas could be concentrated a better way like that.

Wh y not manage programs like in OS X

I don't know much about this issue, but I keep wondering, why can't somebody make things easy in Linux as in Mac OS X? Do we really have to install all the junk in different folders, bin, sbin, user, blah blah.

I would be so much nicer to have a program selfcontained in a folder and than just move it around, uninstall it just by moving the folder to trash can, etc. Don't know how this is done in OS X but I guess it can be done in Linux too.

A few things:

[Wordsmith]

Why hasn't anyone developed a system that, from the End-user perspective, works similarly to MSI installations (which work very well). Point, click, next next next. In principal, DEBS/RPMs work similarly to MSIs, but the installation isn't as obvious a procedure to end-users.

And for that matter, why not make the installer intelligent about the distro? Use a single package/installer, but that includes all sorts of scripting information about installation in variosu circumstances. The installer checks to see if it's on RH9, and if so it puts files where RH9 expects them, editing any configurations and making RPM database entries as necessary. If it's on Debian, it takes the appropriate measures there. And so forth.

Why do we see such absurd dependencies that don't seem to happen in the windows and mac worlds? Install a new version of a KDE app, and you need the latest minor revision to the core KDE libs, which in turn requires a minor upgrade to the font server, etc. In the windows world, occasionally you need to update something big like DirectX to install a latest-and-greatest app, but even then the dependencies are often packaged with the app itself. Why isn't this practice more common in Linux/Unix (not counting Mac OS X)? I undestand that many of these apps are under CONSTANT quick-release development and are often tied to bleeding-edge versions of their libs, but why aren't major releases at least more dependency-friendly? Installing an app can be a real pain in the ass even with something like apt, if you don't have the dependencies in the repositories you've defined. And adding new respositories isn't exacly grandma-friendly.

Re:A few things:

[hikerhat]

No doubt part of the reason is open source developers do what is fun. Commercial software writers do what is easy for their customers. It is fun to write code using the latest bleeding edge libraries, so open source hackers do that. Maintaining binary compatability with old libraries is frustrating and confining, so you don't care too much about that unless you get paid. Learning the ins and outs of six different package managers and writing scripts so your app can be installed on any of them is not fun. It is tedious and boring, so it doesn't get done.

Re:A few things:

[Machine9]

Wouldn't it just be much easier if the Distro would provide a small xml file detailing it's specific file/directory structure, and we'd be in the clear. no?

Re:A few things:

[MobyDisk]

Why hasn't anyone developed a system that, from the End-user perspective, works similarly to MSI installations (which work very well)... In principal, DEBS/RPMs work similarly to MSIs...

MSIs are fundamentally different than packages, although they aim for the same purpose.

First, MSIs typically run executable code and/or scripts to perform the installs. But packages usually contain just a list of files and locations, with no scripting required. This is important since a security-concious administrator won't want to run an MSI-like package since nothing stops it from doing rm -rf /. It alsmo makes them easier to create and maintain. Technically, an RPM or DEB can run scripts, but it is uncommon, and you can easily tear them apart and see the script they are running with a few simple commands.

Second, MSIs don't have a central database where all the file information is stored. There is some use of the registry for this, but it isn't quite as good. With RPM/DEB, I can ask the package manager: "What package does /usr/libfoobar.so.1.2.3" belong too?" and "What versions of /usr/libfoobar.so are installed and where?" These are just a few simple examples, lots more can be done.

As far as the granny meter, I rate APT distributions as easier than MSI, because most MSIs display between 3 and 10 screens where you must click "Next" or scroll down and click "I agree." As a consultant to many such peoples, I have been amazed that, many of them cannot get through these installs! An RPM/DEB install with APT handling dependencies does not have any prompts - you just click it, the progress bar goes by, and it is done!

Why do we see such absurd dependencies that don't seem to happen in the windows and mac worlds?

Fundamentally, Linux packages don't have the dependency conflicts that Windows packages have. Windows packages commonly overwrite shared files all the time. By splitting the dependencies into separate packages, that DLL-hell should go away: nobody will overwrite another package's files. But instead, we get it in another form because dependencies aren't stated properly in the packages. I just hope that things will improve over time.

Dead on bro. Remember when Microsoft added "self-healing" to Windows XP because so many companies were making crap installs? Deleting dlls, installing dups, putting them in wrong directories. This is the exact same problem as Windows has/had, but in RPM & DEB form rather than EXE & MSI form. It seems like coders just don't get package management well. And if you look at APT, it even has a healing-like feature now!

Re:A few things:

[Wordsmith]

That's even better than what I was thinking. I was imagining a script-installer creation tool that would ask the packager a few quick questions about the files in the package, and generate appropriate scripts capable of addressing all the target distributions.

But that runs into the problem of neglecting minor distributions, or not anticipating new ones. The creation tool would need frequent updates ot keep up with all the new distros and revisions.

But with your idea - a standardized XMLish file detailing prefered file structure - the installer/package could jsut use that for a reference and do it's thing very nicely. elegant.

Re:A few things:

[Wordsmith]

I see your point about the scripts/executables being potentially malicious, but why not create a system that depends on similar scripts so long as they're human-readable? A security-concious admin could easily "more gaim-installer.sh" or whatever (this could be different if we're tlaking about a new package format and not traditional scripts, but you get the idea) and see what there is to see.

This may be happening now on some distros, but I'm not sure - I'd this we'd also see reasonable success if an installer worked like this:

double-click on a local package, possibly downloaded from a source without an apt (or similar) repository. a gui installer tool pops up, checks for any necessary dependencies (there shouldn't be any unless it really NEEDS an uncommon library or a bleeding edge versoin. Uncommon libraries should probably be included statically or at least available form the same source anyway). If it really needs another package, the gui tool tells you in plain english it's going to check on the internet to see if it's available, and somethng like apt goes looking. If it can find it, great. If not, it tells you in plain english what it needs - but common packaging practices should mean you get to this last step pretty rarely.

Much of that happens either via apt/up2date/whatever, but does it happen when you try to install a local package? I'm not sure - I'm limited in my experiece with some of the automated tools.

Re:A few things:

[Machine9]

yes, now if only someone would listen to my obviously magnificent idea, we'd be one step further in making life easy for the common user wanting to use linux ;)

disclaimer: I don't really think I'm smart, but this just seemed like the simplest solution.

Re:A few things:

[Machine9]

As an addition, a human-readable file detailing all of the files an install plants in the various directories of your system would be a nice bonus as well.

One might envision an "advanced" uninstall mode that allows you to select precisely what files to keep and which to delete.
By implementing XML in this, you could easily separate the various files into sensible categories (such as: program data, User Data, executable etc. etc.)

Does that make sense? I'm not an OS engineer afterall.

Re:A few things:

[Wordsmith]

You and me, let's go redesign linux. Should be fun.

Re:A few things:

[Machine9]

allritey. I've always wanted to contribute.

Re:A few things:

[metamatic]

Why hasn't anyone developed a system that, from the End-user perspective, works similarly to MSI installations (which work very well). Point, click, next next next. In principal, DEBS/RPMs work similarly to MSIs, but the installation isn't as obvious a procedure to end-users.

They have. In Mandrake Linux you download the RPM, double-click it, and it asks you to enter the root password and leads you through the install. That's actually better than MSI, which craps out if you're not already the administrator.

Re:A few things:

[TrancePhreak]

You can create an MSI that has no user feedback other than the installation progress... Possibly even that can be taken out. However, this just makes it seem more like some malicious software is being installed since it's so secret about what's going on. Also, there is typically an install path choice and some options like start menu icons and quicklaunch. So in refute, MSI may be a bit more complicated, but for the better good. I have not seen an RPM install that ASKED if I wanted a desktop icon or to be placed in the Applications menu... They either did so or assumed I knew how on my own.

/usr/local

[crow]

I've never been terribly concerned about incompatible package foramts, as long as source is available. The common system is that everything managed by the package manager goes into /usr, and everything I build myself goes into /usr/local.

Once in a while I have to copy something manually into /etc/init.d, but that's about it.

Of course, it helps that for almost anything I want to install, my distribution includes it or at least includes the dependencies.

Re:/usr/local

[Captain_Loser]

There is a problem with this though, not all distros use the same startup scripts. I have experience with suse, redhat, slackware, and gentoo (my favorite) and they all use different init scritps. Either the linux community will have to start using some unified directory structure, or someone will have to make a package manager that is smart enough to figure out what distro that is being run. I personaly like having some diversity, that way I can decide what I like to use, and I am not forced to use what someone else decides is best.

Re:/usr/local

[crow]

People keep pointing out the differences in startup scripts, but in practice, I've never had a problem with it. Of course, the vast majority of packages that actually need to be run from init scripts are already included in your distribution.

I would think that the issue of distribution compatibility would be more targeted towards applications. I can understand wanting to download the latest nightly build of Mozilla or upgrading to OpenOffice.com 2.0. Neither of those have any business touching /etc.

Standards

[Milo+Fungus]

All of this will come at the price of standards of course...

Standards are not a price, they are an investment. I use standard XHTML, CSS, and SVG in my web design because I care about the future of the web. Besides, if a standard is well-designed (like W3C recommendations tend to be), it actually makes development and maintenance easier. Anyone who has migrated from HTML 3 (or some nonstandard IE/Netscape HackML) to HTML 4 or XHTML with CSS knows what a pleasure it is to work with modern hypertext (and probably also has an abiding and bitter hatred for IE). The same could be true of package installation in Linux if the standard is well-designed.

Re:Standards

I use standard XHTML, CSS, and SVG in my web design because I care about the future of the web.

If you're using SVG in your web design you certainly don't care about the present of the web, given that I don't know of a single browser that supports it out of the box.

Re:Standards

[gaspyy]

Parent is right. Investing in standards may be hard initially but it pays off in the long term.

Oned of the first commercial sites I designed back in 1997 was using all the cutting edge stuff of the time - HTML 4.0, working on the brand-new at the time NS4 and IE4.

Now, in 2004 that site still looks good and it's compatible with everything, with no redesign.

Unfortunately SVG isn't taking off. It looks good on paper but until there's a small&fast plugin for it (like Flash) or it integrated in IE, there won't be much content availavble for it.

Re:Standards

[chickenwing]

I agree that standards are a good investment, but shouldn't be too hastily created. It is a good thing to have several groups going in their own direction for a while. We will learn a lot more about the problem and see what ideas work and what ideas don't.

It is hard to know these things a priori. The cost of a standard that is created before the problem is solved, is that 10 years later everyone is locked into some not-so-good decisions that just needed more time.

Re:Standards

[Ambassador+Kosh]

KDE 3.2 supports SVG trasnparently so konqueror will render svg just fine.

Re:Standards

[Cthefuture]

Unfortunately SVG isn't taking off.

Isn't taking off where?? Both GNOME and KDE are moving to full SVG environments (icons and eventually everything).

Things like this don't happen overnight but it is happening. Vector formats are the future. Apple (actually NeXT) realized this a long time ago. Notice display PDF, scalable "stuff", and all the vector icons they've had for ages?

Not always, but often I find it easier to create better looking stuff using vector formats. For the most part it is basically the same thing you would be doing to create a raster image except it remains 100% dynamic. Photos and real-life pictures are the obvious exceptions.

The same thing is happening in other areas. Eventually we won't be using static textures in the 3D world. Everything will be procedural and dynamic. Notice all the newer 3D video cards have shading languages and stuff built right in?

The future is coming.

this has been done....BSD ports

duh

There is noniversal adapter

You can't make a universal package manager because the various bulk packagers organize their work differently. If there was only one way to do things, it could work, but there are many ways. You can't just grab an arbitrary package from Mandrake and expect it to work with RedHat and SuSe, and they all three use rpm's. Yes you can technically convert them, but the philosophy behind the distro is the deciding factor as to how useful any given package might be for anything other than the simplest cases.

Re:Linux gains a new feature..

[geekster]

Yeah, because the size of a package will surely affect the code of the application...

Packages

[arrianus]

A package is a file that contains information needed to install and uninstall a program. They are similar to MSI files, but have a number of advantages, mostly stemming from the fact that free software is, well, free, and so you can get it without buying it. Proprietary software comes on CDs, whereas free comes over the Internet. Upgrading free software is very "light weight" whereas upgrading proprietary software is usually very "heavy weight." This gives a different distribution model.

This has several effects. If I distribute a nonfree 10MB program UberTool, that requires the nonfree 20MB MegaLib, I'd better distribute MegaLib with UberTool. If both are free, I can distribute them seperately -- if the user already has MegaLib, he'll just install UberTool.deb. If he doesn't, the package management system will know where to grab MegaLib from, will download MegaLib.deb, and install it.

Furthermore, if I'm going from Office 97 to Office 2000, it's because I bought money on a CD, and I'm running an installer. In the free software world, upgrades are no-brainers, since they cost no money, and most free software programs are a smooth evolution, rather than major versions every several years. As a result, I'll generally be running the latest version of my office suite (as well as every other little utility on my system), and it is convenient to be able to do the upgrades all in one step (apt-get upgrade; apt-get update will grab all packages with newer versions, and install them, cleanly removing the previous ones). Most people never reinstall Debian -- I know installs from '96 that are still running today, at the latest versions, and there are almost certainly ones from before. I don't know of anyone who went from DOS/Windows 3.1 through Windows XP with just upgrades, and without a reinstall.

The next thing is Windows has a problem of bit rot. If you leave a Windows system without reinstalling the whole thing, adding and removing programs, etc. crap builds up. You get all sorts of registry keys you don't need, .dll files you don't need, weird interdependencies, and the system gets slower, more bloated, etc. This doesn't happen on Debian -- I installed my box maybe 3 or 4 years ago, and it's identical in functionality to if I installed it yesterday. Package management, well implemented, buys you that. You never reinstall the overall system, and upgrades are well-managed and don't break things.

The other place package management helps is in centrally-maintained networks. You can install the same package, with the same configuration settings, very easily from a centralized location.

So package management is, in effect, a fancy way to install and uninstall files. However, the fanciness buys you a lot. The new Windows installer is a form of package management, and gives some of the same advantages, although it's not yet as mature as the GNU/Linux ones (.deb has been around since at least '95, and .rpm even longer).

Re:Packages

[Rysc]

that would be megalib-version.deb and ubertool-version.deb

It's agaisnt debian policy for package names to be upper case, or to have packages without version info. To omit the arch is also bad, but you can kinda get away with it.

Re:Packages

[Tim+C]

The next thing is Windows has a problem of bit rot.

Out of interest, what sort of time period are you thinking of when you say this? I ask, because I've had two XP machines installed and running for around a year each, installing and uninstalling software on a whim, and both are just as responsive as the day they were installed. (And that's "very", before anyone gets any funny ideas :-) )

I couldn't have said the same about a Win9x box, of course, but things have moved on a long way since those days (thankfully).

Re:Why reinvent the wheel? (ot)

[ogre57]

The desktop app is synaptic, works with Debian and Redhat for certain, haven't yet tried with SuSE, etc.

Re:Linux gains a new feature..

Good packaging actually causes these things to shrink because you don't need to duplicate dependencies and it's easier to share libraries.

Michael

Is this such a good idea?

[Gilesx]

Looking at this from a newbie's point of view, is this really such a great idea? I mean, at face value, the idea of us living in a utopia where all the differing packaging standards are compatible is nice, but how many "green" Linux users would even understand what a difference is? They would see themselves as using Linux as opposed to Windows, and not abc's Linux as opposed to xyz's Linux or Windows...

Total package compatibility would most likely lead to someone using Red Hat trying to install a debian package, and then getting frustrated, confused and pissed off with the inevitable failure due to the entirely different internals of Debian and Red Hat.

Unfortunately, it is a sad fact of life that Linux distros are deviating from the once common base they shared. An example of this is Mandrake - I used to use Mandrake around versions 6 and 7 and quite often installed Red Hat rpms successfully. However, as those crazy French spend more time tweaking Mandrake in weird and wonderful ways, it becomes further and further removed from Red Hat. Sure, they both use the .rpm standard, but can you imagine trying to install a Mandrake RPM with a *lot* of deps on a Red Hat system?

All of this leads me to conclude that perhaps rather than concentrating on unifying packaging, we should instead focus on making incompatible packaging systems for each major distro. IMHO, it would be much easier for a newbie to distinguish between what will and won't work if they were guaranteed that an rpm would ALWAYS work on Red Hat, and some other kind of package (MPM?) would ALWAYS work on Mandrake....

Re:Is this such a good idea?

[X_Bones]

Total package compatibility would most likely lead to someone using Red Hat trying to install a debian package, and then getting frustrated, confused and pissed off with the inevitable failure due to the entirely different internals of Debian and Red Hat.

If there was "total package compatibility" between radically different distros, then wouldn't that by definition get rid of "inevitable failures" during install? This would make it easier for newbies to get comfortable with maintaining a Linux system, instead of throwing their Linux CD in the trash and going back to Windows. It might also help to show that different distros aren't so different after all, just because of what apps are packaged for it. If there was no need to spend time packaging and testing that 29th MP3 player when the other distros can do it too, maybe now we'll see improvement in the other bits in the distro that need help.

Actually, in the dream world I live in, everybody downloads source when they're setting up their system and just grabs the diffs when they need to update a component. Ever-faster processors mean quicker compile times, ridiculous amounts of hard drive space means you can keep source trees lying around so you don't have to build from scratch every time, and only distributing the source means the program is guaranteed to work on your system (well, with a little help from automake and friends).

Lacking some key features.

[autechre]

zapp's comment below is good, but I feel the need to add some things.

There are still PLENTY of Windows applications that don't use Add/Remove programs. You have to find their uninstaller, if they have one. This is the same as downloading a tar.gz with the source and hoping it has a "make uninstall" target. However, free software is available to track packages you compile and the files they install. Software is probably available to help uninstall stuff under Windows too.

With Debian, I can find out all of the files a package has installed. I can re-run the initial configuration. When I uninstall the application, it won't remove the config files in case I re-install later (unless I tell it to "purge"). I can query the package database and find out what the package is actually supposed to do, which is often a problem for me on Windows systems which are not my own ("What is this?" "I don't know!")

Additionally, a good package management front-end like APT, coupled with well-organized packages, makes maintenance a breeze. I can update every application with two commands*. Libraries are only installed if I need them, and it's safe to share libraries because programs won't be trying to install incompatible versions of them (if they did, the package manager would notice and tell me).

So yes, installation programs like MSI files are simpler, but I wouldn't say they were easier.

* Except for the source-installed apps, of course, but those are a) not packages, and b) few and far between on a Debian system.

Sounds toooo complicated...

[msimm]

If any of you have bought games in the past few years you've probably used Loki Setup. Why wouldn't we use a program like this for simple software installation and an advanced 'package manager' for system updates. I think the problem is that we use overly complicated package managers for EVERYTHING when individual downloads don't need it.

Doesn't help source packages

[adrianbaugh]

I'd like to see autoconf / automake extended to fit in with this, so that when you build a project from source using these tools they set up the Makefile to produce a package, either as RPM or DEB, of all the files to be installed. In theory autoconf does all the dependency checking for required libraries and headers anyway, so the dependencies shouldn't be a major problem: probably even the name and version of the package could be figured out automagically from the LSB description.

This would make it so much easier to integrate packages for which no RPM or DEB exists into your system: I don't like stow and it's unreasonable to expect everyone for whom this functionality would be useful to be able to write .spec files.

Re:Doesn't help source packages

[josepha48]

"In theory autoconf does all the dependency checking for required libraries and headers anyway"

Only if it is programmed to make those checks. Also autoconf and automake and getting those configure scripts is not that easy IMHO. There is a bit of work to be done to get autoconf to work right and check for everything. Then it also has to be tested on the various platforms.

For source distros, I'd suggest using something like gentoo's pkg management which is based on the bsd style of source package management. Problem is that the distro has to support the source package or you have to know what you are doing.

I've yet to find a good package management system that handle both source and binary. The BSD's are probably the closest, but the problem with then is that the package must be made in both forms and that is not always the case.

So far the best I have found is apt-get and rpm. dselect is to confusing IMHO. Problem here is getting to the source rpm if one is not provided.

Re:Doesn't help source packages

[adrianbaugh]

I'm not really talking about pure-source distros, portage seems to work fine for that. But it would be nice to have a tool that could turn a .tar.gz source package into a binary package that will work on your system - even if just to allow you to uninstall it easily if you decide it sucks. I could even live without the dependency checking - if the program builds on my system it'll work there, just create a package with "system-specific" prepended to the name if the dependency checking is too hard.
But whether or not there's a lot of work involved it still seems to me to be a worthwhile long-term goal for autoconf, what with it having become a pretty widespread standard for building source projects now.

Re:Doesn't help source packages

I've yet to find a good package management system that handle both source and binary. The BSD's are probably the closest, but the problem with then is that the package must be made in both forms and that is not always the case.

You probably had misunderstood something. FreeBSD packages packages are built from ports, for what I know. And it is as trivial as

cd /usr/ports/foo/bar
make package

It is extremely helpful when handling _many_ servers, as most hosting providers' sysadmins will tell you.

making your own port also seems like a much simplier task then building rpm (haven't tried the latter, though).

Re:Doesn't help source packages

[josepha48]

FreeBSD is my server and I am well aware of its package system. NetBSD also has a package system similar, only they prvide in some instances source and binary packages. It works the same only on NetBSD ( my system ) its /usr/pkg/foo/bar not ports.

Problem is that if the package DOES NOT EXIST in /usr/ports or /usr/pkg then you have to use tar -zxvf && ./configure ( if it has a configure script) then run make && make install OR you create a FreeBSD / NetBSD package yourself. If you want to uninstall the package after a make install and it is NOT a ports / pkg then you have to know what was installed where.

Typically what I do is ./configure --prefix=/public/newpackage . Then when I install I DON'T run it as root and it installs EVERYTHING in /public/newpackage. Then I set LD_LIBRARY_PATH / PATH and any other necessary variables and test the package. From this I can also do a find and get a file list. Then I can use that to build an rpm package and if I like the package install it for real. Other times I just install it in /opt like I did with netbeans and eclipse.

Re:Linux gains a new feature..

[Medieval]

I actually pondered putting a or tag on the post, but I then decided against it. Perhaps I should have.

Microsoft Research leads the way!

If anything it's time for the Open Source community to "Embrace and Lag Behind" yet another Mirosoft innovation.

Microsoft Research has a new product in beta named "Microsoft Visual CAB++.NET" that will provide for all your packaging needs. Call 1-800-SUCK-ASS for the 411.

Chinpokomon! You Americans with your massive, gargantuan penis! Keeping world safe from Iraqi WMD!

Incremental diffs?

[DrXym]

Keeping a Linux box up to date over a slow link is next to impossible. It would be great if binary diffs could be produced that meant a 3 line change to XFree or wherever meant just a 100k download instead of a 40Mb one.

The binary diff would look for the existing files matching some checksum and patch them up with the changes rather than uninstalling replacing old files with substantially identical new ones.

Solving the wrong problem

[aero6dof]

The package format is only the first and probably most shallow problem in trying to use cross-distribution packages. A huge portion of package reliability and usability comes from a well managed set of package interdependencies. Managing those interdependencies is a major task for a single distro, let alone trying to handle the exponentially more complex dependencies sanely accros distros.

If you really want to solve the problem of cross-distro's, you need start at the other end. Define your own packaging standard which favors statically compiled dependencies. Then write or adapt tools to package the resulting statically linked binaries into different distro packaging formats. You can't just blindly statically link either. For some applications, you'll also have to solve device interface, and kernel interface issues across distro's and kernel versions and configurations too.

it's not [ENTIRELY] the package format

It really isn't about the package format

Of course it is! A common package notation allows dependencies between software components to be detected precisely and automatically. It's only a step from there to have dependencies resolved automatically as well.

If two software components use two different package notations, you're forced to do figure out and resolve their interdependencies by hand. Supposing you could do it at all, what do you think the chances are that you'll do it identically twice in a row on the same system, let alone on a server room full of systems which are to be configured identically?

Of course you're right that the problem is not entirely solved merely by committing to a universal package format. Developers still have to take care to use its capabilities correctly. Dependencies have to be expressed accurately, for example.

I've also noticed that relocation is often not done properly in open source packages. I suspect this may be because many open source developers are not used to installing software at complex sites where different administrative groups maintain different sets of software at different points on different servers. The point is that /usr/local is a nominal installation point only. In the real world, site requirements can be much more complex. Over the years, I've noticed that autoconf handles this situation very cleanly. It's the people building binary packages that seem to overlook the need for relocation.

Re:it's not [ENTIRELY] the package format

[ajagci]

Of course it is! A common package notation allows dependencies between software components to be detected precisely and automatically.

But we don't have a common package "notation"--that's the problem. Creating a new "notation" or a new format or a new tool isn't going to change that.

It's only a step from there to have dependencies resolved automatically as well.

No, it's not. For anything like a UNIX system, there is no way in hell that you can determine and/or resolve dependencies reliably.

I've also noticed that relocation is often not done properly in open source packages.

Relocation is done quite properly in most open source packages: at build time, through autoconf.

I suspect this may be because many open source developers are not used to installing software at complex sites where different administrative groups maintain different sets of software at different points on different servers.

You suspect wrong. Some of the biggest and most complex installations are handled by open source software and open source developers.

Over the years, I've noticed that autoconf handles this situation very cleanly. It's the people building binary packages that seem to overlook the need for relocation.

Binary packages are not "relocatable" in general (meaning, you can't change paths around arbitrarily). And they won't become relocatable because it would be a PITA and because a large fractions wouldn't do it anyway.

If you want a solution to that problem, you need functionality like that found in Plan 9, either at the C library level or, better, in the Linux kernel. But then people like you, you know self-proclaimed "real world users", self-proclaimed people "who install and maintain many different sets of software" complain that they don't want such "academic" solutions, which they don't understand, yet actually desparately need.

I prefer boxers...

[biolabrat]

...to manage my package.

Re:I prefer boxers...

[/dev/trash]

Like? Rocky? Ali? Tyson?

I just want more stuff for Solaris

[Stonent1]

Which is why I'm working on getting gentoo portage going for Solaris. Portaris!

If you feel you habe some ideas that could help with this mini project, feel free to join in!

mod parent up

[Frymaster]

that's the best description of the root cause of "rpm hell" i've read yet.

the problem with rpm is it's success. when a half dozen distro's start using it a half dozen versions of any given package are developed... throw in rawhides and their ilk and suddenly package management becomes a nightmarek.

if you are going to use rpms stick to your vendor. it may suck being a slave to up2date but it beats the conflicts.

Re:mod parent up

[Antity-H]

I would say that the problem with rpms is that until quite recently you couldn't find a central repository with regularly updated packages. As you say half a dozen ditros and half dozen versions of any given packages. WIth a webbased centralized repository, (regularly updated) this wouldn't have had to happen. This is IMHO the best feature of debian based distros (knoppix, morphix, etc) They can use the debian packages base and add their candy over it. IOWs if apt4rpm had existed before we would never have had to live in the dependancy hell we are in now

Re:mod parent up

[tzanger]

if you are going to use rpms stick to your vendor. it may suck being a slave to up2date but it beats the conflicts.

And that, my friends, is the exact reason why I steer clear of any dep-tracking package manager. How do you install applications that your vendor doesn't provide packages for? Source, of course. But now you're using two dep trackers -- the one in your head and the one that your distro uses. You could build your own real package for the app and really make yourself a maintainer (and help the world) but let's face it, you don't often have time to do that.

I've tried Suse. I've tried Debian. Redhat. Gentoo. All of these have one common problem: they track dependencies and without becoming a package maintainer you're stuck with what they've got. Slackware's where it's at, baby. I never understood what the problem with "can't find libfoo.so" was -- oh, I need libfoo... freshmeat or google for it, or better yet check the MANIFEST.gz to see if it's already there somewhere.

And checkinstall --newslack --nodoc never gives you "busted" packages. :-)

Dependancies

[officepotato]

Loki's games have them too, but they tend to compile most of them into a big staticly-linked binary, leaving only the major ones like X for the user. Works fine for huge games when another couple of megs doesn't matter. Basically, if you build an executable static, it has almost no dependancies, but it's a huge file. If you build a file with dynamic linking, it'll create a tiny executable, but it relys on various libraries to run, and more than that, certain versions of those libraries.

The upside to this is that all the parts of a linux system can be developed simultaniously and independantly, and the result will still work.

Can you imagine KDE for example, being built staticly linked to all of the sound, video, encryption, math, etc. libraries that it needs to run? You could do that and release a nice installer on CD once a year, and then wait for the next release before you can upgrade ANYTHING on your system, because it's all one giant package.

In a distributed development system without central management, and without a product to ship to Babbages, many small packages are the only real solution.

Re:Dependancies

[msimm]

Your KDE example would illustrate what I would consider a system-type upgrade that should in most cases (ie cases where the user doesn't want to handle it) be done using a more advance package management system and packages put together by your vender. The stand alone Loki installer scenario your describing is exactly what OS X users are trumpeting about. That drag-and-drop and it works. It does sound like a good enough idea. Remember the programming adage: KISS (Keep It Simple St*pid).

Re:Dependancies

[IamTheRealMike]

This will lead to problems as the loader will load only ONE version of the library and require both a.out and a.so to use the same version of b.so. This is why rpm's of the same program are not compatible accross different versions of the same distro

Whoa, slow down. That's not right at all. Firstly, some RPMs are compatible across distributions, but not all - and it's basically hit and miss.

The linker fixup problems are one issue yes, but to be honest these occur rarely, especially once you start stripping unnecessary DT_NEEDED entries from your binary (unnecessary -lfoo options).

Eventually we'll need to change it to be more like how Windows does it, but it's not a high priority. Fixing build tools to not dump piles of bogus (in the case of recent toolchains) -lfoo options on the compiler is a more important issue, but I have no idea how to fix this in a general way. Possibly extensions to pkg-config would need to be made, certainly this is something that will require large-scale changes to peoples build systems.

I'm hoping that when autopackage is released and stable, it'll be so fantastically popular that it will motivate people to fix these myriad binary portability issues in their apps (and none of them are unsolvable or inherent in the way Linux works). We're writing a guidebook to help people do this, but it's not really released yet.

In Windows Hell...

[Spoing]

I'm struggling with Windows problems, mainly due to the fact that Windows installation programs do not track dependencies. They use an incrementing counter and self-registration to track what files are in use. Because of that, tools like Dependency Walker -- very handy BTW -- have to be used and the process is manually intensive if you want to be sure everything is actually there that should be. Even Dependency Walker can't be used to examine files that aren't executibles or libs.

Too much trust is placed in the installation program getting it right, and no built-in way is available to check if dependencies are broken.

You can ding the different distributions -- and quite rightly -- for package problems though in comparison most of them are dreams when stacked up against Redmond's latest offering.

The problem isn't the package

[trans_err]

All these conversations about different package formats, dependency hell, et al. flies right over the heads of many Debian users. Many of us are usually surprised at the amount of problems other distros have when it comes down to packaging. Now before you mark me as a troll ponder this: It isn't the package format that needs revision its the maintaining of an entire repository of packages. This is why Debian users are surprised by all this, or possibly why some migrated to the distro to begin with. People need to stop worrying about what format there software comes from, but rather begin creating a universal set of dependencies and one congruent software repository. Until then only debian users will know the true joy in running apt-get update && apt-get upgrade.

Hear Hear

[wowbagger]

What I'd like to see is more distro vendors moving to a metapackaging system like APT, and then the following rule applied throughout:

Either your package uses packages from some standard repository (Linux standard base, anyone?)

OR

You will provide all needed packages that are NOT in that standard set in your APT repository.

So if I provide Foo.1.2.3, and it requires Narf.2.4.pentium, and the standard repository is providing Narf.2.3, then I must provide Narf.2.4.pentium on my site.

Of course, I would also pimpslap anybody who actually depended upon Narf.2.4. pentium as opposed to simply Narf.2.4.

And to address the tweakophillia of the Gentoo types - what about a program that could be run from a cron job that would examine all recently installed packages, pull the source packages, rebuild them with the locally provided options, and upgrade them? Thus, I could *quickly* install Poit.9.1, and then tonight my machine would pull Poit.9.1.src, build it with "-Os -march=athlon-xp -mcpu=athlon-xp -mfpmath=sse,387", and install it.

Re:Hear Hear

[PostConsumerRecycled]

you forgot -pipe and -fomit-frame-pointer :)

Just kidding, overall I really like the sound of that hypothetical metapackaging system, Ive had so mayproblems on my Mandrake Laptop due to dependencys being in different repositories and one of the severs being out of date. I wish the policy you stated above was adhered to.

Re:Hear Hear

[wowbagger]

-pipe is only good at saving compile time.

-fomit-frame-pointer makes it a bitch to debug things - I don't like making debugging harder. ;)

Yes, APT is a great piece of the puzzle, but it doesn't solve everything - for example, in Fedora, there was a package checked in for Bittorrent-GUI, which required a package wxPython, which exists NOWHERE on the 'Net. Smooth.

That is one thing I will give the Debian folks - you make your package work or you don't get in stable.

Re:Hear Hear

[InfoTaku]

Having compiled some software and done some research I can tell you from experience
that you do not need the "-mcpu" flag if you have already elected to use the "-march" flag,
as the -march flag automatically applies -mcpu for you.

If you think about it, it couldnt be any other way.

Re:Hear Hear

[AntiOrganic]

Yes, APT is a great piece of the puzzle, but it doesn't solve everything - for example, in Fedora, there was a package checked in for Bittorrent-GUI, which required a package wxPython, which exists NOWHERE on the 'Net. Smooth.

Erm, what?

Re:Hear Hear

[tzanger]

That is one thing I will give the Debian folks - you make your package work or you don't get in stable.

Very true, and if you can deal with the versions of software that appear in -stable, you're golden. Debian Stable is really, truly, stable.

Unfortunately all the latest shite is in -unstable and you've just opened Pandora's box if you point your deb repository there. Or if you compile your own app. Right back to dependency hell.

Re:Hear Hear

[wowbagger]

And if you look at the date, you will see it is fairly recent.

Now, go look at when BTUI was posted to Fedora.

Gentoo and Portage

[SwansonMarpalum]

As usual I'll come out with my Gentoo Zealotry but I'd like to deflect some of the problems I'm seeing mentioned here.

Gentoo is a Linux distribution largely centric to the Portage package manager (there are other features of Gentoo, but Portage is by far the most conspicuous)

Portage is a package manager loosely inspired by FreeBSD's ports system. Portage maintains a global software configuration file called make.conf. Make.conf holds meta-configuration settings about your system. As Portage builds all programs from source for your machine, make.conf is the place where you describe your machine to Portage. make.conf also holds a collection of use flags. Use flags are global binary switches. They have a default value if they are unspecified, and if you include a Use flag (ie USE="java") then it turns that flag on, and if you include -flag, (ie USE="-java") then it explicitly will not use that feature which is globally recognized by Gentoo.

I see complaints that emerge VI tried to build X and thus portage is "smarter" than you as a sysadmin. This is patently false and ignorant. Portage lets you do your job as a sysadmin once and then never have to worry about doing it again. If you do not want X on a machine then you need merely put "-X" in your use flags.

It puts control in your hands. If you want an application built to support certain things you can have it. If you do not want to support other things explicitly it will do that. It defaults tod doing what's sensible for most people who use Linux casually. If you aren't a casual user, spend a week or so getting familiar with portage and it's configuration. emerge is an incredibly potent tool. All of my systems are patched automatically every day, from source, with the configuration I have specified for that system. My binaries are all built with -march for the CPU, and -Os. And I've never once had any of my systems have a failure caused by misconfigured dependencies. They stay up to date and I don't have to worry about it.

If you want to do all your dependency checking yourself, you're welcome to. However there's a good solution that takes care of all of the issues revolving around this available, freely, to the world. Click here to find out more about it.

Re:Gentoo and Portage

[Alcemenes]

I think portage is a step in the right direction. Portage already has the capability to install .debs and .rpms as well as build from source and install tarball packages. Granted, it's not perfect but perhaps the way to attack this problem is to create a user-friendly gui on top of portage (I think there is at least one gui already, not 100% sure though) that handles everything being discussed here. I think this would appease power users and newbies alike, especially if the dependency handling is as good as, say, apt-get. My problem with portage is that it seems to be more of a one-way street. You type 'emerge Gnome' at the commandline and it builds and installs Gnome yet if you want to remove Gnome you have a long list of dependencies to remove one by one. Now, I may have overlooked something in the documentation but if we look at this from the standpoint of the newbie, who doesn't want to read volumes of documentation, then portage is not the right answer. It is my opinion that more people need to read the documentation but we all know that isn't going to happen easily so I think some apps will have to be "dumbed down." I think Gentoo has a good start with Portage. There will always be problems with naming conventions and standards but I think with enough effort portage could be molded into the app the author is talking about. The BSD ports system is very nice also but I think it would be wiser to work with the tools already available to develop a solution instead of trying to bring something over from another OS. Then again, maybe I'm so far out in left field that I've missed the boat. Time will tell.

Where ports excels..

[Joseph+Vigneau]

I was a long time Debian user, and I've "switched" to Gentoo. The primary reason I feel the ports/portage system is better is that I am not forced to install packages that have dependencies on other packages I don't need. For example, take gaim. In Debian, gaim has a dependency on NAS (Network Audio System), so I'm forced to install it. I don't need NAS. I don't want to install NAS. Gentoo has a USE flag that allows me to declare that I don't want anything to use NAS.

Also, it is pretty easy to make a custom "ebuild" file (which is a shell script) in Gentoo, and relatively difficult to create a new .deb. Say a new release of your favorite software comes out, but the package maintainer hasn't gotten around to packaging it. In Gentoo, in most cases, you simply copy the old ebuild file, and possibly tweak the version number. You don't have to download, compile, and package it seperately, as you'd have to do in Debian.

There is also a lot less political activity in Gentoo, and they seem to Get Things Done.

Re:Where ports excels..

[WWE-TicK]

> In Debian, gaim has a dependency on NAS (Network
> Audio System), so I'm forced to install it. I
> don't need NAS. I don't want to install NAS.
> Gentoo has a USE flag that allows me to declare
> that I don't want anything to use NAS.

apt-get source gaim
cd gaim-0.75
[edit debian/rules file, add "--disable-nas" to DEB_CONFIGURE_EXTRA_FLAGS which, incidently, is the default .. are you sure Debian's gaim depends on NAS?]
debian/rules binary

viola ... shiney new gaim deb which doesn't depend on NAS in gaim-0.75/..!

> relatively difficult to create a new .deb.

Not really.

I've never used Gentoo, but from what I understand it's claim to fame is that all packages are basically automagically installed from source. Bleh .. who has the time. Better to have most of everything installed from binary packages, and then selectively be able to *easily* rebuild a package from source. And in Debian, this is pretty easy to do.

Re:Where ports excels..

[Joseph+Vigneau]

[apt-get source package, season to taste]

That's a lot more complex than simply setting an environment variable. A lot more error-prone, too, and difficult to reproduce.

[install most things from binary packages, and use source packages as desired]

Gentoo's portage system also allows you to do the same thing: you can easily build binary packages by using the --buildpkg option of emerge. This is really useful when deploying to multiple machines, or systems with resource constraints. Compiling XFree and KDE on an older P3 takes a looong time. Apparently this isn't too much of a problem, though, because AFAIK there's no repository of pre-built Gentoo packages, other than what's on the Gentoo Reference Platform CD..

package management, not package manger, is needed

[pmfp]

A lot of people have eluded to this, but I'm going to be the smart ass to say it straight out:
We need packaging/installation policy standards!

Imagine a centralized, yet somewhat distributed control, database over names of libraries/packages. The libraries name would not include version numbers or anything like that. In addition to this there's a standard scheme for naming packages, version numbers, etc.

Now, the bigger problem is not what installs where, rather what installs what. The policy standard for package management is not the format, the manager or whatever to use, but what each package should contain. I.e. a standardized policy regarding how much one is allowed to cram into a package. Of course they all need meta-information saying what they provide.

So if you have, e.g., a standardized policy of one package per lib and a naming scheme that is adopted by major distros... feel free to use whatever package management you want.

Package System Opinion

[TWX]

Of all of the distributions I've used (Slackware (Walnut Creek '96 through 8.0), RedHat (5.1, 5.2, 6.0), SuSE (6.# through 7.0) and Debian (2.2 - Current Unstable)) I've found Debian's apt+dpkg combination to be the best built. It doesn't matter if I used Progeny, Storm, Knoppix, or any particular version of Debian Proper, I was always able to specify source servers and update the system. I was able to add third-party servers without much issue. The system just worked. RPM in the two distributions that I've experienced with it was a pain. It was hard to meet dependencies even with a particular package built for a particular distribution, and I ended up chasing my tail more than administering the box.

Of course, I liked Slackware due to the lack of general advanced packaging, since I didn't end up breaking a package management system with third party compiled-from-source software.

Re:Package System Opinion

[pyros]

I'm not familiar with Suse from that timeframe, 9.0 is the only one I've tried. But those days were the peak of RPM dependency-hell. There are several locations to get apt for Red Hat these days, and several well maintained 3rd party repos (fedora.us, freshrpms.net, jpackage, newrpms, atrpms, and dag wieers come to mind). The difference with the Debian distros is that they're all Debian plus some individual extra stuff. If Fedora.us and Freshrpms.net suddenly threw together an installer they would be the equivalent of thinks like knoppix and mepis and lycoric and such. You're still using the Debian repo's for all the core stuff. They just add some config tools, maybe a different menu system, some different default themes, and maybe repackage some stuff. I'd love to see some offerings like this come up in the Red Hat world. I thikn fedora is a step in that direction.

Re:Package System Opinion

[Kent+Recal]

Mod parent up. I couldn't put it better.
I've been working with: SuSE, Slackware, RedHat, Debian, Knoppix, LFS, Mandrake, Solaris, Windows, BSD...

Yes. It's a wild mix and let me tell you: The least predictably machines (as in "how can I get software installed quickly") were always the RPM based ones.

Even the Windows install mechanism (setup.exe) usually works better for me (unless registry gets screwed or hardware is involved ofcourse) than the RPM install.

I tried to install a recent Mozilla (yes, the browser) to a freshly installed SuSE 8.something just some days ago. Hey, I went the newbie-route, tried YaST and the graphical package manager and, guess what, I couldn't find a mozilla package (no, the search didnt help)! AND: The update-thingy couldn't connect to the SuSE servers - not giving a hint what the problem could be.

So I was stuck there, with no idea how to fix the connection problem (hey, gimme at least a filename where to look, mmkay?) and no mozilla package on the magazine-cover SuSE cd. Guess they expect me to use konqueror?

Fine, I went to suse.com and do you think I found a way to search or *gasp* download a package from there? NOPE! Nothing!
I searched for 10 minutes or so (maybe it's there, where is it hidden??) and then just went and got the binary-installer from mozilla.org.
Yes, I could have looked at ftp.suse.com. No, I didn't feel like learning their directory hierarchy and how they deal with the depends.

So, who is wrong here?
Me, for considering to install mozilla from a distro package?
SuSE for not implementing RPM properly?
RPM for reasons that could be extracted from my little "success story"?

ONE thing I know for sure is that I can sit down to any debian-based box with a net connection, type apt-get install mozilla and it will be there...

Maybe that last paragraph made me sound like a zealot but well, so be it.

Re:Package System Opinion

[PleaseDontBeTaken]

Ditto that. I had exactly the same experiences on SuSE 7.2 and 7.3 before I sucked it up and moved to Debian, which I had seen originally, but which sounded like a cult in the posts I had read before I started using Linux. And I ended up solving them in the same fashion (compile) which was obviously screwing up my dependency system. But it wasn't until I wanted a more up-to-date kernel and pcmcia packages, and couldn't easily get them under the SuSE framework, that I finally sucked it up and moved to Debian, by which time enough people had already said I should be using Debian's package system.

Double ditto about SuSE Yast not knowing where to look for updates, especially if you tried to be "nice" and point it to a local mirror but screwed something up and couldn't get it back.

The best thing about SuSE, and my only reason for keeping the discs around, is the partition resizer to smoosh your existing op system down to size to make room for Linux, and the fact that because it's from SuSE, it wasn't going to bork your existing installation in the process. I know there are other tools, but you can't put a high-enough value on trust when you are putting all your bits on the line.

I wish the debian installer had:
1. the non-destructive FAT partition resizer
2. would read your existing home dirs and ask you which user data you wanted to recreate, so you don't end up with orphan home dirs if you wipe and reinstall everything but /home

APT has been wonderful until recently when I discovered the KDE 3.1+/testing problems, which one can obviously work around, but not as easily as one should be able to....

Dependancies

Lots of these posts have mentioned that different distros use different packaging schemes and that there can also be problems with package names and dependancy locations (e.g. required .so files being in the wrong directory), but I haven't heard anybody mention the problem of binary compatability. Suppose I have program a.out which requires a.so and b.so to run. Now a.so also uses b.so, but a.so was compiled against b.so version 3 while a.out was compiled against b.so version 4. This will lead to problems as the loader will load only ONE version of the library and require both a.out and a.so to use the same version of b.so. This is why rpm's of the same program are not compatible accross different versions of the same distro! We'll never get out of the dependancy hell until somebody fixes this problem (e.g. Windows works the way you'd want). There's more info on this issue in the Autopackage FAQ if you're interested. BTW: suppose I've got a.so version 3 on my machine and I go to install myprog. myprog requires a.so version 5. Upgrading a.so will require upgrading 500 other binaries on my system as they also depend on a.so version 3. As far as I can tell rpm doesn't want to let me install a.so version 5 (e.g. a.so.5) along side a.so.3 without using the --force option even though that would/should work in many instances and make an upgrade much easier. Am I missing something??

A Suggestion For Better Package Formats

I have an idea that maybe will help fix things just a little:

Instead of treating all packages the same, make a seperation between libraries, daemons, servers, utilties, and desktop applications. Then you can have a global setting for the system that decides what kind of user is using the computer: desktop average joe, programmer/developer, server machine. Then you can manage packages much simpler.

Let's say that it's an average joe desktop box. In this case, libraries only need to be installed if 1 or more applications depend on them. just have the package system transparently manage this: if a new application is installed that depends on a library that isn't installed then also install the library. If an application is removed and there is a library which only that application depends on then remove the library. If two applications need 2 different versions of the same library then manage this smartly, and merge the libraries once the apps become compatible.

Right now, this "one package format fits all packages" approach limits us, and limits flexibility. The package manager should know more info, or "metadata", about each package installed so that it can manage things smarter.

peace

Yes but...

[twoslice]

When I was your age, we called 'em by their proper name--athletic supporters!

People started calling them "Jock Straps" and we all know that a geek is no jock - so it was either Geek Strap or package manager...

my package...

[Enze6997]

I have been managing my own package for years now and I think, aside from the not being unwrapped frequently enough I have been doing a pretty good job on my own. I think the real development could be done in getting package's target audience to learn a thing or two on how to properly work the package.

how about webstart?

[ahmetaa]

Java webstart is a complete solution to the packaging mess. develop with java, one click secure install, update and uninstall.

gentoo...

[pimpinmonk]

*cough*ebuild*cough*

c'mon, it's not even offtopic this time!

ebuild is all we need

[vandan]

The other package formats are nothing but trade-offs to lure Windows users.

With every Linux box having gcc, is there really any reason why apps have to be pre-compiled? Sure you can pre-comile stuff for an installation CD, but after that, it just makes sense to use an installation method like Gentoo's portage.

After all, this IS linux...

Autoconf doesn't support relocation.

[V.+Mole]

I've noticed that autoconf handles this situation very cleanly.

No, it doesn't.

All autoconf does is make it easy to change the hardcoded paths that will be compiled into the package at build time. Once the binaries are built, they have to go into the specified locataions, and the config files into theirs, etc. etc.

It's the people building binary packages that seem to overlook the need for relocation.

The underlying source code usually doesn't support relocation after it's built. There's nothing the package builders can do about it. Well, they can rewrite the source to support it, I suppose. That sounds like fun. And I can guarantee that it won't be tested properly, and it won't cover all the things that you want/need to do, and so you'll have to rebuild from source anyway. People who run large complicated installations that need custom layouts are going to have to accept the fact that their layouts are just that, custom, and are not, generally, going to be supported by the statndard package system.

Linux killer app?

[Ryan+O'Rourke]

Integrate something like this with Wine so Linux users can install Windows programs from the package manager and you just may have an application that could help get Linux onto J. Random User's desktop.
Imagine - "Linux runs everything."

I'm not implying there are dozens of programs solely for Windows that Linux users are dying for, but some people are married to one app or the other, and that keeps them from trying Linux.

We need complete separation of data and programs.

[Wolfier]

In other words, there should not be any "pre-install" or "post-install" or "during-install" scripts inside packages.

Packages should contain data. That's it. Leave all the executable work to the package manager, like dependency checking, startup scripts, etc.

Letting packages run its own stuffs during installation is the root of all issues associated with uninstalls.

Blending Package Management And Source Tree

[EXTomar]

One of the things that continually stumps me is why can't source trees (from CVS, tar.gz, where ever) compile out and create an installable package? Making a distributable package has always been a secondary step instead of an integral part of the installation build.

What I want to see more of is "tree building". Once again from some distribution system (CVS, tar.gz, etc.) the code can sit. When a release is pushed out you do an update/merge and rebuild. This ties into the previous paragraph where you can just recompile the packages and upgrade them for tight management.

Package management works now if you don't want to deal with source code. The moment you start trying to build your own source for system tools things start to blurr. This is how Linux systems now accumulate cruft which neither the package system or compiling can handle. If both were some how brought closer together there might be hope to keeping it sane for a bit longer.

Egads, so much effort

[Cthefuture]

Does anyone else see what's happening?

Too many package formats, too many window managers, too many GUI toolkits, too many desktop environments, too many Linux distributions, etc, etc.

I like choice, I really do, but this is madness. Not only is a great deal of time used to create competing software (Kword, Abiword, Open-Office) but now we're creating more work for ourselves by trying to integrate it all (packages managers, RedHat trying to unify GNOME and KDE, etc). Wow, this can't be good.

How is all of this going to compete with entities that have a more focused approach? I believe the only reason why anything has gotten done at all is because there's just so damn many people working on things. This causes serious talent dilution though. Things are nowhere near as good as they could be (or could have been).

This is quite disturbing.

It's interesting to note the things where this hasn't happened. Just try to create a competing standard to HTML, XML, SQL, or OpenGL (note that I'm talking Linux/FreeBSD, etc, not Windows). Not that people don't try but they never gain momentum. I have to think if there was an ANSI, ISO, or whatever standard desktop evironment then that would help. I seriously doubt something like that could be done in a reasonable time, I'm just saying it might help.

Distribute deps

[xenostar]

Ok, what I never understood with binary packages is why not include all the precompiled dependencies right there in the package, install them all into the same directory and have them take priority over the ones in the system, like in windows. Am I missing something that makes Linux unable to do that? (Aside from the obvious bloat of such practices).

Re:Distribute deps

[spitzak]

This is exactly what should be done, but people here are too brainwashed to admit that perhaps some features of Posix should be changed.

It is possible to fake this, we do it with our commercial Linux software, and it is obvious that other commercial software does this:

*All* files for your software are dumped into a single directory, so installation and removal is trivial (this is similar to OS/X App directories). In that directory is a single "wrapper" executable, usually with the name of your program, and only dependent on glibc. The main thing this program does is read /proc/self/exe and use it to setenv LD_LIBRARY_PATH, and locate the actual executable. It then exec's the actual executable. In our case the wrapper also makes sure argv[0] is a clean full path name so the actual executable can use it to locate data files and plugins, you could also put this function in the main program if you wanted.

We then install Gnome and KDE shortcuts on their start menus directly pointing at the full pathname of the executable. Anybody who wants to run it from a shell has to type the full path or symbolically link it themselves into a directory on their path. Deleting our software leaves these start menu items and any symbolic links pointing at nothing, which as far as I can tell is not a real problem.

Intelligent users can easily peek into our directories and see that we ship libtcl and some others in an attempt to hide system differences. They can rename or remove these to better integrate the software into their system. But at least it works, first time, for any users.

I would like to see Linux altered to handle this cleanly, by adding direct support for "app directories". Unlike OS/X, I think they should be named with no extension. The rules are simple: if the user tries to run "foo" and it is a directory, it tries to run "foo/foo" after first adding foo to the LD_LIBRARY_PATH and after fixing up argv[0] to be the full expanded path to foo, and possibly other fixes for stupid Posix rules. This would get rid of 99% of the "install" headaches.

Re:Distribute deps

[NoMaster]

Spot on. Except for this :

I would like to see Linux altered to handle this cleanly, by adding direct support for "app directories". Unlike OS/X, I think they should be named with no extension. The rules are simple: if the user tries to run "foo" and it is a directory, it tries to run "foo/foo" after first adding foo to the LD_LIBRARY_PATH and after fixing up argv[0] to be the full expanded path to foo, and possibly other fixes for stupid Posix rules. This would get rid of 99% of the "install" headaches.

I've got an easier idea : Why not just give the directory name a special suffix - so instead of having to check if there is/isn't an executable of the same name inside, the system/launcher knows there is?

I humbly suggest that the suffix should be ".app" ;-)

Re:Distribute deps

[spitzak]

Because no other part of Unix depends on file extensions to decide what to do. The system already provides a fast test to see if a file is a directory, that can be used to make this decision.

Users should be able to to rename the file to anything and have it work. However this is a good argument for calling the executable "main" or some other fixed name, rather than the name of the program. The only reason I suggested the name of the program is so that "ps" will work without kernel changes. Using a fixed name like this will also allow you to use .app if that is your preference.

Also .app is bad idea because it requires a user-friendly interface to hide the filename extension.

The short version....

[Kjella]

Typical Windows programs are stand-alone. If it needs something, like e.g. a DirectX version, it'll come along on the CD. Typical Linux programs rely on lots and lots of other packages (which again rely on others and so on). Since it's free, we get to stand on the shoulders of giants.

If you were distributing it on say a CD, it wouldn't be a problem - simply supply a minimum version of every dependency and dependecy of dependency - all the way down. But if you're providing a download, it would be nearly impossible to distribute 100mb+ of libraries to go with your 1mb program.

So the core problem is to find all the dependencies we already have installed, download those we don't, and point the program to where it can find all these.

Not to mention such fun things as libraries that need to be upgraded as a set - imagine you had DirectX 8 & Service Pack 1, and that DirectX 9 required SP2, SP2 required DirectX 9. The answer? Install both, and it will work. Of course, then Microsoft would combine them to one update.

On Linux, you may have packages from 10 different groups of people. Then you need a package manager to try to figure it all out. And people will not agree on what is the "right" combinations, should it be only rock-stable builds (debian-stable?) or every latest beta build (Fedora-unstable-testing-alpha-something?).

Kjella

Why not a standard installer...

[donkeyoverlord]

with a standard package? This way every linux system runs the same installer and can download the same packages. But because every distro does everything just a little different, the installer reads a config file so that everything is dumped into the same place.
The installer would by default download a binary from one of many sources in a config file. But would have a flag for downloading and installing from source. Also you could specify a file to be installed that is local.
install randomapp -l /usr/src/randomapp
or
install randomapp

Uninstalling would be just as easy just type "uninstall randomapp".

Cross platform and compatible on all systems because everything is the same EXCEPT a config file. Makes sense to me.

Standard information, many choices

[spectrokid]

Instead of trying to standardise packaging, wouldn't it be more realistic to define one standard file where different package managers can fetch information on how a computer is organised? In this way, the authors of different package managers could claim their program is "compliant" with this new standard. Freedom of choice, but still a standard.

Mad Penguin web site error

[talexb]

Fatal error: Call to a member function on a non-object in /home/madp/public_html/includes/blocks/online.php on line 70

... when visiting Mad Penguin.

None of this will matter...

[emil]

...until you can get a major commercial vendor to bite and dump their own package system.

I seem to remember that Digital UNIX was converting to RPM, but it doesn't seem to have panned out.

Hmm

[n1k0]

I've not read the article since it won't freakin' load, but from the summary description I really fail to see how a new package manager will solve anything.

** Problems

- Package format compatability.

Generating software packages for rpm, deb, tgz, BSD ports, etc. is a major annoyance to software developers and package maintainers. The proposed system seems to solve this by supporting the 'big three' in one package manager. A single package system is the solution to this problem, not a new package mangler. I'm sure there are many proposed packaging systems out there that want to solve this exact problem, and the author's time might be better spent by adding support for the most promising system to apt or yum rather than taking what appears to me to be the wrong approach.

I don't know about other distributions, but Debian solves this problem rather nicely by allowing you to install rpm. There's also the alien utility, which will convert to or from deb, rpm, and tgz. Some would say that this is not ideal, but its far simpler than throwing volumes of standards and megabytes of scaffolding at the problem. "Keep it simple, but not simpler than it needs to be." Alien is as simple as elegance permits.

- Cross-distribution library compatability.

This problem will only be solved if distribution maintainers make a conscious effort to do so. I can assure you that this will never happen, and native-code binary packages will never, ever, ever fit the 'build once, run anywhere' model, even if 'anywhere' means a different distribution on the same platform. A new package manager will not make it any easier for me to install Mandrake's KDE 3.2 packages on my Debian or Fedora boxen.

- Cross-package-format dependency resolution.

About the only thing this idea would help with is satisfying package dependencies across package formats. E.g., libA, an rpm, depends on libB, which is only available as a deb. Assuming the the libraries in the rpm and the deb will install and link nicely, this idea would provide a package manager that would know how to do just that. But I can see no benefit to wanting to do this sort of thing in the first place, and I would suggest that it would only complicate systems management.

- Systems like FreeBSD port and Portage?

This manager works on the most popular systems. What about more esoteric package managers? Shouldn't it support them, too? Someone's bound to ask. In this regard, the system wouldn't be promoting standardization and would be duplicating the work of many distributions, probably poorly since attention (and design of the APIs used internally by the manager) has to be spread over many package formats instead of one. Again, a real solution is deciding on a single package system to use, not creating a tentacled, five-ton beast that will crush you to death when it tries to sit on your lap.

- The Simpsons did it! I mean, apt did it!

There are versions of apt for rpm and deb. They regrettably seem to be mutually exclusive, but the point is apt covers up many ugly parts of any packaging system via automation, and it supports two of the three package formats attributed to the author's idea. And since 99% of the time there is no reason to install packages of differing formats on the same system, it doesn't matter that apt for rpm and deb are mutually exclusive.

** Conclusion

Now that the site is back, I see that all this guy seems to want to do is write a silly GUI tool that lets you install packages of arbitrary formats by clicking a few times and that will run on the popular systems so that users will feel at home on different distributions thanks to a consistent GUI. Oh well, I wish you luck guy. I think this is a worthy endeavor insofar as end-users and the much-hyped "Linux Desktop" are concerned.

-Nick

Think of it more...

[Kjella]

The amount of time and money that's been wasted on this problem for over twenty years in the unix world is just mind-boggling. We really do not need to reinvent this wheel again.

...as railroad tracks. Everyone agrees on how "the wheel" works, and it works bloody fine with the trains you already have even if they all have different track widths. Yet somehow it would be nice if you could grab a train from just anywhere and drop it somewhere else, and it'd fit and it'd work.

That's where we're at today. And every so often, someone tries to suggest a "reengineering" plan to make all the trains operate on the same tracks, without really getting anywhere. Sooner or later one format will succeed, albeit slowly.

Kjella

Re:Lies, Damn Lies, and Statistics

I don't know of anyone who went from DOS/Windows 3.1 through Windows XP with just upgrades, and without a reinstall.

I actually just got one of my bosses to upgrade to Windows 2000 for his development work... his NT directory was called "WINNT35". 'Pain' doesn't even begin to describe it...

Better Package Management

[0x12d3]

See, the legal system is not the way to solve our problems.

Charming. Tried upgrading?

You've had XP installed for a year. Charming. That's one version of the OS. Wait for Longhorn to come out, and then whatever comes after that, and see if you can go through all the upgrades without reinstalling. Until then, you can't draw any conclusions.

One year is a lot of time by Windows 95 standards for not having to reinstall. In contrast, by Debian standards, you go through many, many major revisions of the core OS, and then don't have to upgrade.

I would also question how many major revisions of applications you could have gone through in one year. Under Debian, I have gone through hundreds or thousands of programs, from pre-alpha to beta to release to several major versions ahead, and never had a problem, in many long years of use. One year is nothing. Wait for the next version of XP, 3 more versions of Office, and a couple of Internet Explorer, keeping a couple of old applications incompatible with the new DLLs, and then tell me Windows doesn't have bit rot. Keeping the same version of an OS installed for a year says nothing about bit rot.

Re:Charming. Tried upgrading?

Well I have a box that's about 5 years old and has gone NT4 -> 2K -> XP with only very minor issues, has had 3 different versions of Office, 4 different versions of IE, and lads of 3rd party software, drivers, and so on installed and uninstalled along the way. And it still runs great.

You might have a point about Win9x, but Windows NT has a significantly better record at doing this than most Linux distros, so let's can the crap.

PErfect Desktop again ?

[Ploum]

It really like what I was saying a few months ago.

I just focused on Debian..

It's already been built

It's already been built: Synaptics.

When I decided to try to leave Windows behind (after seeing Knoppix on my laptop, and mainly because of MS's mandatory registration), I went with Redhat. But through freshrpms, I quickly found and latched on to apt for rpm and Synaptics.

Not only is Synaptics just as comfortable to use as Windows' "Add/Remove Programs," but being able to scroll through the descriptions of available packages let me find some great things (like Anjuta, dnsmasq and K3B.) I added Planet CCRMA to my repositories list, and using only Synaptics for installation, I now have a full music studio.
It's not that I never have to edit the occasional text file (like fstab and iptables) to get things working, but I use gedit to do it. And I use the command line only sparingly.

(And I'm now setting up 2 friends, who have only Windows experience, with Linux system.)

Things don't have to be difficult. Use what's out there.

--A long-time lurker
(Perhaps I'll finally register soon)

Re:It's already been built

[sgtrock]

--A long-time lurker
(Perhaps I'll finally register soon)

Hoping to get slashdotID 1,000,000? :)

Re:Dependancies - Sandboxing

[mnemoth_54]

The way windows gets around this (sometimes) is by placing the old library(dll) in the same directory as the exe calling, while the system retains it's newer version. It's a reduementary form of sandboxing, at least on the file level.

I think what is needed is similar version snadboxing for packages. When installing a new pkg.y that call for and upgrade to lib.x.5, but lib.x.5 causes a cacading dependency problem for the rest of the system, it should give you the option to install lib.x.5 and pkg.y together, without upgrading lib.x.4 that the rest of the system needs. It may need to be recompiled to use the lib.x.5 in a non-standard location, but it would help greatly.

Now, all of this may not work too well if you plan to use pkg.y to talk to pgk.z if they use different version of lib.x, but it's a start. You could allways move pkg.z into the 'sandbox' as well, I guess.

Support "family PC"

[DrCode]

A lot of Linux PC users really are using a "personal" computer, in that only one person generally uses it. This is my situation at work.

At home, though, the PC gets shared by 4 people. So, if I install something new, I'll often want to add it to one of my KDE menus. But then I have to remember to do the same for each of the other 3 users, or go through the pain of walking them through it.

Thus, one feature of my ideal package manager or installer would allow a root install to easily update the KDE/Gnome menus of all users, perhaps being able to choose those in a particular group.

Re:Support "family PC"

[spitzak]

KDE merges the menu entries stored in some central files (under /etc?) with the ones in your home directory. So modifying the central entries should be able to add an item to everybody's start menu. I assumme the same is true for Gnome.

It would help if their documentation provided clear examples, with actual file names of where this stuff is stored, however. I was unable to locate it quickly enough to provide a better answer to your question.

Re: A-A-P?

[oever]

Here's a similar package funded by a dutch institution:

A-A-P

source-based package efficiency?

[raw-sewage]

To me it seems that source-based package management is more efficient, at least in (very broad) terms of storage utilization. Package source files are currently represent the most "standard" package format available. Most OSS projects offer a vanilla source tarball for the roll-yer-own crowd. Likewise, source-based distros use these same source archives as their actual "packages".

On the other hand, binary distributions maintain their own compiled packages. Think about how many different binary packages are available for all your favorite programs across all the different distributions. How much aggregate storage space is being wasted for what is really redundant (yet slightly different) data?

Source-based distributions (Gentoo, FreeBSD) only have to maintain their build scripts. I'm sure that the complete collection of any source-based distros' build scripts is significantly smaller than any binary-based distros' complete collection of binary packages.

Now I'm not arguing for the superiority of source-based distros (they're certainly not for everyone). But the source package should be the standard base upon which each distribution builds its packages. For example, instead of Debian maintaing all those binary packages, why not maintain a method (i.e. a script) for creating those packages?

This would effectively give every binary-distribution a source-based option. My concept is that every distribution would start with a Gentoo- or FreeBSD-like source distribution system, but also maintain a cache of pre-compiled binaries. Gentoo already does this with a few huge packages (e.g. you can download and install a pre-compiled OpenOffice.org package).

In short, I'm suggesting that all the distributions could change their internal infrastructure by adding a source/build script layer, but not affect the actual installation, administration and/or use of the system. Standard disclaimer: I have never worked intimately with any package manager, so much of this is speculation/brainstorming.

You can find out where a program is on Linux

[spitzak]

This code will find the full path name to the current executable:

buffer[1024];
strcpy(buffer, "/proc/self/exe");
for (;;) {
char buf2[1024];
int n = readlink(buffer, buf2, 1023);
if (n <= 0) break;
buf2[n] = 0;
if (buf2[0]=='/') {
strcpy(buffer, buf2);
} else { // Handle a relative link: // copy up through the last slash:
char* p = buffer;
char* a = p;
const char* b = program_name;
while (*b) if ((*a++ = *b++)=='/') p = a; // Skip leading ./:
b = buf2; while (b[0]=='.' && b[1]=='/') b += 2; // now put the filename there to get a relative filename: // This may overflow the buffer!
strcpy(p, b);
}
} // Full path to the current executable is now in buffer

(obviously cleaner code that cannot overflow buffers should be written and stuck in a function, but it is not impossible).

Re:You can find out where a program is on Linux

[IamTheRealMike]

Sure. That doesn't work for shared libraries though, so it's only usable inside the primary binary.

The way binreloc works is by taking the address of an empty string symbol from the GOT then scanning linker maps in /proc/self/maps to find itself. This is 100% robust and works regardless of whether the code is used inside the executable or library. It also gives you an absolute path every time with no manipulation needed.

So the real question is, if it's so easy why doesn't glibc provide a function to do it for you?

Re:You can find out where a program is on Linux

[mandolin]

Why do you need the 'else' part? I can't see how to execute a program such that its /proc/self/exe shows up as an relative path.

And from a visual grep, your function will usually loop forever :-)

(Thx for that example, btw; I'd been using /proc/getpid()/exe to do the same thing)

Re:You can find out where a program is on Linux

[spitzak]

I may have typed it wrong, but the loop is supposed to exit when the readlink fails because the file is not a link.

I believe the relative path part is not required on Linux. It is there because this same code was used on Unix systems that don't have /proc, where it searches the path for the known name instead of starting at /proc/self/exe. This is necessary there because people often put relative linkes into those paths.

Re:You can find out where a program is on Linux

[mandolin]

I may have typed it wrong, but the loop is supposed to exit when the readlink fails because the file is not a link.

You're correct -- my bad..

I believe the relative path part is not required on Linux. It is there because this same code was used on Unix systems that don't have /proc, where it searches the path for the known name instead of starting at /proc/self/exe

Gotcha. Thanks again.

Good idea....

...so let's fork it.

Why such a complex package file format?

I looked at a description of the red Hat RPM file format, and the header seems needlessly complex. It would be better to use a format that is as simple as possible and thus as hard as possible to accidentally screw up.

One possibility that comes to mind is something like the FITS format used in astronomy. You have an ASCII text header followed by binary data. The header is just lines of the form name=value followed by an END statement. This should be flexible enough for any package installation needs -- you can always come up with new parameter names and value sets as needed. Yet it is simple and easy to read. There are no file offsets to worry about.

--- Brian

This already exists

[TrixX]

It's called Red Carpet

It's the distribution stupid!

[Jason+Earl]

It's not the dpkg format or even the apt tools that make Debian so nifty. The thing that makes Debian work is that Debian has put together a formal process for naming, creating dependencies, and testing, so that the packages work together.

The packaging format is just the tip of the iceberg, and people that think that they can solve the many problems with installing software, especially software with complex interdependencies, by slapping some metadata alongside their tarball are simply delusional. apt4rpm wouldn't have helped the RPM based distributions without some sort of centralized repository of RPMs that had been tested together.

Re:Dependancies - Sandboxing

[IamTheRealMike]

Nah, you misunderstood what the guy was talking about.

On Windows, the linker records which DLL a symbol comes from and you can explicitly specify it in the source/header files using some simple language extensions. On Linux, that isn't done, and worse ELF specifies unscoped symbol fixup semantics.

To rephrase the original question: if libA1.so is linked against foo_func() in libA2.so, and libB1.so depends on foo_func() in libB2.so, and binary Z links against libA1 and libB1, then the results will not be what you expect. Both libA1 and libB1 will be linked to the foo_func() in libA1, because that came first in the load order.

This causes problems when different parts of the program use different versions of the same library - they may be independent parts of the code but the wires get crossed inside ld.so and things go boom.

It'll need to be fixed at some point. Using the ELF grouping extension in Solaris seems to make sense. Somebody just needs to write the code and (this is the hard part) get it accepted upstream.

Re:Dependancies - Sandboxing

[cubic6]

What would be really smart would be to copy what Microsoft does with DirectX and enforce strict backwards-compatibility with every version. That way, if you had lib.x.7 you could run programs linked with any previous version. However, I don't know if this is possible with Linux's loader.

If anyone really wants to solve this...

[stor]

Personally I believe that the metadata that packages use (dependencies, build, etc) need to be pushed down into autoconf.

What's so hard about making ./configure && make && make install smarter so that package managers can just read _that_ to build their dependecy trees?

Cheers
Stor

Use staticly compiled binaries

[suitti]

Most of the dependencies go away when binaries are compiled statically. Unfortunately, the defaults have leaned so heavily towards shared libraries, that people don't know how to compile static anymore.

It makes one pine for the days of the a.out format.

Checkinstall does it !

[mallumax]

Checkinstall is a program which helps you in keeping track of programs installed from surce. instead of make install,you run checkinstall which gives you the option to create an rpm or deb or tgz kg(??) Say if you choose rpm ,an rpm will be bult and installed and saved. Now you can use the native package manager to keep track of the packages you have installed from source. But this is useful for people who are not afarid to build programs from source. Neverthless it's one of the best tools for linux. http://asic-linux.com.mx/~izto/checkinstall/index. php

Re: A-A-P?

PGP/GPG == DRM

DRM is where software goes against your will, to protect the rights of others. If I pgp-encrypt a file, you will be unable to access it. However, this is because you have no way to open it without my help. Your own software is not refusing to open the file. Your software is _incapable_ of opening the file. That's the difference. DRM systems, such as those that prevent copying of a music file, could easily allow you to make the copy. They just don't.

I feel I should mention...

[Ben+Urban]

* GNOME is written entirely in C, not C++.
* The problems you were experiencing were most likely due to the fact that GNOME 2.x has source incompatibilities with GNOME 1.x.
* There are ways to have both GNOME 1.x and GNOME 2.x installed on the same machine; it's just ridiculously complicated to do so. (Gentoo seems to manage to handle it seamlessly though.)

Resolving dependency hell

[sita]

The problem is not the different package managers, but that you almost invariably run into dependency hell when trying to install binary packages. This is due to the fact that most distributions install software in a way that makes it difficult to concurrently use different versions of software.

If the distribution installed software in a directory structure that included the package and version name, dependent packages could be configured to use different versions of the same packages.

If a new end user tool required a new version of a library, the existing tools that used the old version should not have to change.

Like so:
/package/name/version/{bin,lib,...}

There would always be points of contentions, of course, like user config-file format changes between versions, but situation would be substantially improved.

I believe I saw a reference to a distribution that worked similar to this.