Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Make Easy-to-Package Linux Software

Posted by timothy on from the easy-rocks dept.

jmmv writes "The packages in any Linux distribution (or other operating systems) are a master piece to let the user install any program he wishes as painlessly as possible. However, the creation of these packages is not always free of problems. Usually, the packager finds that the program he wants to package suffers from a series of pitfalls - either conceptual or related to portability - that make the packaging task harder than usual. This is why I decided to write an article (published at ONLamp.com) summarizing these problems and proposing several solutions to each of them, aiming to make the life of the packager simpler. I hope it to be of interest to free software developers and also hope that they understand some of the issues and try to fix them in their creations."

52 comments

  1. Avoid modifying published distfiles. by keesh · · Score: 3, Insightful

    "Avoid modifying published distfiles."

    Oh heck yes. The number of times I've been bitten by a few projects (yes mplayer guys, I mean you) doing this and breaking Gentoo's digest system...

    1. Re:Avoid modifying published distfiles. by Spoing · · Score: 1
      1. "Avoid modifying published distfiles."

        Oh heck yes. The number of times I've been bitten by a few projects (yes mplayer guys, I mean you) doing this and breaking Gentoo's digest system...

      Why would the Mplayer project folks be to blaim? Wouldn't the blaim be properly focused on Gentoo, as they modified (?) the core distribution for use with Gentoo?

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:Avoid modifying published distfiles. by Papineau · · Score: 3, Informative

      I think what OP meant was that Mplayer released a tarball, then found some bug in it and released a second one with the bug fixed but the same filename. Any MD5 hash of the first one will fail on the second one. Gentoo uses a MD5 hash to verify that the file is the right one.

    3. Re:Avoid modifying published distfiles. by Richard_at_work · · Score: 1

      If Gentoo wanted to ensure that functionality, then they should host the files themselves imho. They are providing for something that the hosters of the files dont allow for.

    4. Re:Avoid modifying published distfiles. by Anonymous Coward · · Score: 0

      Perhaps, but leaving distfiles alone is still a good idea.

      It is bad for almost everything, including among others mirroring (Should you remirror the file? How do you know it has been updated, anyway?), users (That version is fixed or broken?), and developers (A good versioning scheme is important, ask anyone).

      A "Brown Paper Bag" release is better in every case I can think of. Unless you're trying to hide your bugs, in which case you're insane.

      The only other thing which changes MD5s is repackaging. If you're going to do that, you should really consider waiting until the next version, for the above reasons, unless something went horribly wrong (I can't think of anything off the top of my head, actually) ...

  2. How to properly package for linux by ZephyrXero · · Score: 4, Informative

    http://www.autopackage.org

    --
    "A truly wise man realizes he knows nothing."
    1. Re:How to properly package for linux by keesh · · Score: 3, Interesting

      Oh, brilliant idea. Force everyone to run arbitrary shell scripts before they can even unpack your package. At least with a tarball you can extract it and check the contents without having to run any untrusted package-supplied code.

    2. Re:How to properly package for linux by polyp2000 · · Score: 1

      I dont have mod points to mod you up, but autopackage really does exactly what it says on the tin (tm) - it just works (tm) I hope that more and more projects start providing ".package" files in addition to the source code etc.

      --
      Electronic Music Made Using Linux http://soundcloud.com/polyp
    3. Re:How to properly package for linux by Anonymous Coward · · Score: 1, Interesting

      Because of course everyone uses x86, no-one uses any apps written in C++, there are no such things as optional dependencies, every package distributer can be trusted, and every distribution builds software in exactly the same way with exactly the same library versions.

      Oh, wait...

    4. Re:How to properly package for linux by ZephyrXero · · Score: 1

      Well, if you're that paranoid with your software, you can just wait for your distro to put it in their own repositories.

      --
      "A truly wise man realizes he knows nothing."
    5. Re:How to properly package for linux by Anonymous Coward · · Score: 0, Flamebait

      ...which they're not likely to do if upstream use autopackage, since the format is so fucking broken that any sane distro person avoids anything that uses it. Which fortunately, is pretty much nothing. Besides, you'd better *hope* that your distro people are paranoid when it comes to security.

    6. Re:How to properly package for linux by polyp2000 · · Score: 4, Insightful

      who mentioned about forcing people to do anything? Most projects supply their files in several different formats so that people can make a choice as to what kind of install they want to do. I dont really care what you think, because if you are truly honest with yourself, you will admit that installing software on linux is a pain in the arse sometimes - even for seasoned users. Giving joe sixpack a foolproof click-through self-installer for linux is not just a good idea its a requirement. Especially as it continues to make headroads on the desktop.

      I use Gentoo and Vidalinux by the way. The portage system is pretty good and dependancy issues are pretty much a thing of the past although annoyingly i still have problems. Im lucky enough to have a fairly beefy SMP computer so most of the time i dont have to wait too long for compiles.

      Having said all that Autopackage is the best thing ive seen as an installation method yet. Have you actually tried to use it yet ?

      Make sure you read the instructions first. You dont even need to go anywhere near a shell prompt!

      4 steps to installing an autopackage...

      --
      Electronic Music Made Using Linux http://soundcloud.com/polyp
    7. Re:How to properly package for linux by ZephyrXero · · Score: 1

      Well, if it's open source software, the source code would be released as well. C'mon guys....

      --
      "A truly wise man realizes he knows nothing."
    8. Re:How to properly package for linux by GreyWolf3000 · · Score: 1
      In my opinion OSS software needs to standardize how they build software--things like version numbering systems and adhering to the FHS. Libraries should all handle living side by side with earlier versions. Packages should be easily relocatable.

      At that point, any sane package management system would work beautifully.

      --
      Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
    9. Re:How to properly package for linux by RdsArts · · Score: 2, Insightful

      Oh, brilliant idea. Have a distro system that has been silently hacked and trojaned in the past complete and uninhibited root access on your box WITH unaudited shell scripts.

      Woo! Apt!

      Oh, you where talking ab... Oh...

      Huh...

    10. Re:How to properly package for linux by ZephyrXero · · Score: 3, Insightful

      Here's the problem... The open-source/free-software movement is similar to an organic evolution/adaptation system, while the proprietary software industry is just that, like industrial/factory systems. Because of the factory like mechanics, proprietary software is easy to package and pump out. Open source goes in all different directions and it's an electronic survival of the fittest. If someone comes out with a better piece of software, people will tend to use it instead. If someone comes out with a better distro or packaging system, it's the same thing. Only thing is... since it all goes in a million different directions, there are alot of "extinct species" along the way. This is our trade-off for the freedom vs. convenience. However, if we can find a way to get the best of both worlds (LSB, FreeDesktop.org, Autopackage, and other open standards)....things could really get exciting.

      --
      "A truly wise man realizes he knows nothing."
    11. Re:How to properly package for linux by RobertLTux · · Score: 1

      a few things i would like to see 1 dump a symlink to the docs into say ~/docs 2 have actual useable documentation 3 if you rewire an ap to move files change the docs to match 4 have some sort of "create full settings file" switch that makes a .#apname with ALL settings (including defaults) or just do so on first run 5 make the most probalble use of your ap have the shortest command line ie apname

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
    12. Re:How to properly package for linux by keesh · · Score: 2, Interesting

      LSB is a silly RedHatism. Remember, if you want to be LSB compliant, X11 support is mandatory.

    13. Re:How to properly package for linux by ZephyrXero · · Score: 1

      I'm talking more about the ideals behind it rather than what it actually is right this moment.

      --
      "A truly wise man realizes he knows nothing."
    14. Re:How to properly package for linux by Anonymous Coward · · Score: 0

      The debian guys think autopackage was designed by monkeys. I'd be inclined to agree with them...

    15. Re:How to properly package for linux by FooBarWidget · · Score: 1

      That's only one side of the story. Unfortunately we can't comment on joey's blog. Basically joey concludes that autopackage sucks because he found out that autopackages cannot be easily converted to RPMs or DEBs with Alien. But that is by design: autopackage's design is fundamentally different from RPMs and DEBs. Trying to convert it to other packaging formats is asking for trouble and cannot be done reliably. You may want to read http://www.licquia.org/archives/2005/03/27/autopac kage-considered-harmful/ for responses from Mike, the project leader.

    16. Re:How to properly package for linux by be-fan · · Score: 1

      No, it isn't.

      --
      A deep unwavering belief is a sure sign you're missing something...
  3. There Should Be a Self-Installing Binary by Knights+who+say+'INT · · Score: 1

    What the hell else can I say?

    There should be a self-installing binary.

    Wow, it's so simple and so obvious.

    1. Re:There Should Be a Self-Installing Binary by ZephyrXero · · Score: 1

      See post above...

      --
      "A truly wise man realizes he knows nothing."
    2. Re:There Should Be a Self-Installing Binary by chromatic · · Score: 3, Interesting

      Is it simple or obvious?

      64-bit? 32-bit? With debugging symbols? Without debugging symbols? Statically-linked? Dynamically linked? Which level of optimization? Which kernel? Which compiler? Which glibc? Which processor family? Which instruction set within a processor family? What options have I missed?

      How big is this one self-installing binary you want someone else to create for you?

      --
      how to invest, a novice's guide
    3. Re:There Should Be a Self-Installing Binary by Brandybuck · · Score: 2, Insightful

      I've got a 64bit PPC NetBSD self-installing package here that. Can you use it?

      --
      Don't blame me, I didn't vote for either of them!
    4. Re:There Should Be a Self-Installing Binary by Anonymous Coward · · Score: 2, Funny
      There should be a self-installing binary.

      That's too much like Windows. If software is hard to write, it should be hard to install.

    5. Re:There Should Be a Self-Installing Binary by Anonymous Coward · · Score: 1, Interesting

      It is simple AND obvious. If you want software to be usable, it needs to be flexible. By flexible, it needs to appeal to novice users AND power users. Try this: 32-bit, no debugging symbols, link statically or include your libraries (its worth the disk space to provide an easy uninstall), optimize -O1 (basic optimization - nothing fancy that could affect how registers are used), compile for a 3-4 year old intel-compatible processor (P2 or P3 by now), and unless you're writing a device driver leave the kernel out of it. That should catch a good number of users. Provide source so smart people can do what they want, but don't leave out the people who don't know as much as you.

    6. Re:There Should Be a Self-Installing Binary by Curien · · Score: 2, Insightful

      Statically linked. Great. So now, when someone finds a security bug in the library, you not only have to update the library, you have to figure out all the programs that use that library statically and update them as well.

      Wonderful idea! I'm sure that'll make everything /much/ easier for end users.

      --
      It's always a long day... 86400 doesn't fit into a short.
    7. Re:There Should Be a Self-Installing Binary by Anonymous Coward · · Score: 0

      Yeah, like viruses!

    8. Re:There Should Be a Self-Installing Binary by Anonymous Coward · · Score: 1, Insightful

      Statically linked. Great. So now, when someone finds a security bug in the library, you not only have to update the library, you have to figure out all the programs that use that library statically and update them as well.

      Dynamically linked. Great. So now, when a new release of a library introduces a security bug, you automatically compromise all the programs that use that library.

      Hey, it cuts both ways.

    9. Re:There Should Be a Self-Installing Binary by Anonymous Coward · · Score: 0
      There should be a self-installing binary.

      Um, no, there shouldn't. Two reasons:

      (1) Making things that don't need to be executables executables is a great way to encourage people to run executables without thinking twice. Thinking like that is what has given us viruses.

      (2) It's absolutely critical that the software install via a mechanism where the system copies the files and makes changes on the software's behalf. That way, the system can track what files were installed and what other changes were made, and you will actually have more than a snowball's chance in hell of being able to uninstall. To put it a different way, if the software is installing itself, then the user and the system have to trust the software that its install and uninstall functions are really the inverse of each other. But if a well-tested OS component is the one that does the actual installation, then it can track everything reliably. It's very much like how things used to be before memory protection: a program could malloc() some memory and then exit without freeing it. The memory was then lost. But in modern systems, the OS tracks what memory the process owns, and when the process exits, the memory is freed whether the process did the right thing or not. It should be the same way with software installation.

      Now, having said that, this does not mean there is any reason that the user interface couldn't present software packages as objects which appear to install themselves while in reality they are simply making a request to the system that it install the files. They can even behave like executables: on Unix, they could be interpreted files (that begin with #!), and in window-oriented file managers, they could be icons that are associated with a program that does the right thing when you open the icon.

  4. Third solution to Automatic Decisions by Papineau · · Score: 3, Interesting

    The article is missing a third solution to the Automatic Decisions solutions: gracefully handle at runtime the absence of a (soft) dependancy.

    What I mean is automatically enable all options which are available at build time, but don't hard link to them (use dlopen(3) or somesuch instead), so the same binary package would work in the presence or absence of such dependancies.

    Of course, without the runtime dependancies, some options won't be available, but it's better to do it that way than to force everybody to download libfoo and libbar to satisfy an optional dependancy, or to arbitrarily disable some options (which will only be available to people building from source, not those using a package. You want your software to be useful, right?).

    1. Re:Third solution to Automatic Decisions by Anonymous Coward · · Score: 1, Interesting

      are there any decent wrappers for dlopen() that make it more like linking against a .so ? I HATE having to munge function names etc.

      The Amiga allowed you to dynamically load libraries, yet when you were coding, late bound .library (unix: like dlopened() .so) function calls looked the same as static link .lib (unix: .a) function calls through macro/#pragma magic hidden in the .h file for the library.

    2. Re:Third solution to Automatic Decisions by Anonymous Coward · · Score: 3, Informative

      This is because amiga .library files were a bit like C++/COM objects: each library had a jumptable and base address. Jumptable entry offsets from the base address called LVOs (library vector offsets) were public and known. All library calls were indirected through the jumptable. So the compiler knew from the #pragma in the header to compile a call to, say, intuition.library/OpenWindow() or whatever (my amigaos zen is, uh, rusty, for some reason), to a jump to address IntuitionBase minus LVOOpenWindow, which was an entry in the jumptable (which grew downwards in memory, hence the minus), which then jumped to the actual library function (So every shared library call was a teeny bit slower than a direct function call (but even in those days of 7MHz computers, people seldom noticed)). And the application could pick and choose when to call OpenLibrary() to do the dlopen()-like operation, with very little hackery.

      Actually, the WHOLE AmigaOS was like that. Address 4 in an Amiga process's memory map always pointed to AbsExecBase, the base address of the pre-opened exec.library (the AmigaOS pseudo-microkernel with interrupt handling and task switching stuff and so on). The process could then find exec.library/OpenLibrary() to open intuition.library (gui) and get IntuitionBase, dos.library (DOS) and get DOSBase, and so on.

      This is VERY different to .so files, which are shared object files which are actually dynamically linked at load time by the ld.so program. The recent adoption of "prelinking" of linux .so files is a bit similar if you squint, though.

      Another ramification of the LVO system was that library versioning was pretty easy. The .library file format specified a version number, higher numbers "win". But total binary backward compatibility could be maintained (with effort on the library author's part) even in the face of API modifications in the library, because binaries compiled against the earlier version would expect the old LVOs, so the the library author could just use new LVOs for his new API, and maintain the LVOs for the old API as wrapper functions for his new API (or made them bomb out with an error if he was too lazy to maintain backward compatibility, which is still more graceful than a typical .so or .dll "silently do the wrong thing").

    3. Re:Third solution to Automatic Decisions by FooBarWidget · · Score: 3, Informative

      You may be interested in relaytool. See http://autopackage.org/ for info.

    4. Re:Third solution to Automatic Decisions by Anonymous Coward · · Score: 0

      hm. Something in autopackage that's actually useful... Interesting!

  5. Well, here's an explanation by mr_tenor · · Score: 2, Insightful

    Depends what you mean by "you". It may not bother the end user, but it will bother everyone else who needs to do other things than just run your install script.

    1. Re:Well, here's an explanation by Anonymous Coward · · Score: 0, Flamebait

      That's why people who want to do other things can download the fucking source code and fucking well build it however the fuck they like.

      I picture one of your ancestors, thousands of years ago, complaining about this new-fangled "wheel" thing. "It may not bother you, but it bothers everyone else who needs to move stuff around. Those crappy wheel things can't support a monolith, so they're utterly useless. Let's stick with log rollers like we have for centuries."

    2. Re:Well, here's an explanation by FooBarWidget · · Score: 1

      Joey's blog is only one side of the story. See my reply at http://developers.slashdot.org/comments.pl?sid=144 756&threshold=-1&commentsort=0&tid=185&mode=thread &pid=12122773#12125768

  6. Simple... by agraupe · · Score: 3, Interesting
    Appfolders, like in OS X, for the very simple method. This causes overlap in dependencies, but it will always work. This is the easiest system to deal with, IMO. There can be a simple tar-ball, or self-extracting archive.

    Next, there's distro-based package systems like apt and portage. These work very well, as dependency control is automatic, and it is made to work with your distro specifically.

    The third option, which is used by (I think, but am not sure) Loki Installer, and such programs, is to install the binaries, but leave you on your own to deal with dependencies. As long as you make sure the dependencies are easy to obtain, this is one of the best options for those without apt or a similar system. You could even, with GPL software, create your own installer for any dependancies, should you choose.

    Why not Autopackage? Because it seems like a format that is, at best, a poor substitute for a package system like apt. The simplest solution, considering how much disk space is available on modern machines, is the folder concept like OS X. Very simple, and incredibly easy to remove programs.

    1. Re:Simple... by Makarakalax · · Score: 1

      Congratulations! You haven't got a clue what you are talking about. You clearly have no grasp of Linux packaging, what is involved, what is required, what is sensible, what autopackage is, what autopackage is good for, nor did you read the fucking article.

    2. Re:Simple... by agraupe · · Score: 1

      I'll admit that, but people who know more than me have come up with plenty of reasons that autopackage is a bad idea. The rest of my arguments are still valid.

  7. This definately is a shortcomming in linux distros by Stevyn · · Score: 4, Insightful

    Take a look around. You either get a good method for a few outdated packages, or you get a great system that takes forever to compile packages. Obviously, I haven't dealt much with debian based distros and their magical apt-get, but the major distros like Suse, mandrake, and fedora are still RPM based. I think RPMs have really slowed down linux adoption due to dependency hell. I hope systems like autopackage can help things out.

  8. apt... grr by Anonymous Coward · · Score: 0

    The amount of times (on Ubuntu) that apt/dpkg have screwed up the config files by replacing packages names with rubbish is thoroughly frustrating. It then outright dies and can't even see where it's made a mistake, here's a clue, % is not allowed to be a package name, how about you go replace it with the character that was there BEFORE you screwed up.

    It means I have to go into the extremely long, and messy, database files and fix up the package name myself. I'm not joking when I say it's happened on about 8 installs of Ubuntu (warty). Yet, never on another distro.

    Is this a common problem on Debian systems, or just Ubuntu?

    Anyway, it's heart wrenching, because usually once it's happened once it happens more and more often with worse effects everytime, until eventually the package manager is hosed and only a reinstall will save it.

  9. tar by Anonymous Coward · · Score: 0

    doesn't get any easier than that.

  10. Re:This definately is a shortcomming in linux dist by SadPenguin · · Score: 1

    Agreed. Red Hat made me want to dive into a river to rid myself of all of these dependency issues, and I was aged by the time X,KDE,Gnome,Firefox,Thunderbird, et al finished compiling on Gentoo. I've got high hopes for autopackage, but haven't used it yet. I think that it is obvious that the thing that is keeping linux off the desktop is the difficulty in installing software. RedHat (and other RPM distros) - if you want to have a completely nontechnical-user environment, you can't expect them to touch a shell at all, and when the fancy RPM GUI crashes and burns, or 9000 unresolved dependency require the user installing to do a little forcing and shodding, it comes to a shell. I hope AutoPackage is *it*. The choice of multiple install options is irreplacable and not something I want to, nor am about to give up, but simplicity is paramount in end-user environments, and most distros lack this when it comes to installs.

    --
    sigSEGV - doy!
  11. RPM is not at fault, apt is not magic by Anonymous Coward · · Score: 0

    Mandrake's urpmi does pretty much the same thing, and most people who have installed non-trivial third-party RPMs on Mandrake have encountered dependency unpleasantness. There's also apt-rpm, yum, etc... and they not magic bullets either.

    The reason Debian apt works so well is its well-maintained package archive. The archive is huge: the unstable distribution contains over 18000 packages. Apt is at least as good as the other package tools at resolving dependencies, but can only work with the packages that are available to it.

    Installing a third party package is usually easy because there's a really good chance any dependency it asks for is in the archive. I thought apt was magic too, when I switched to Debian, but urpmi or yum could do the same thing given an archive as good as Debian's.

  12. Criticism: +5. Solutions: -1. by Spy+der+Mann · · Score: 1

    So where are your suggestions to improve it?

    ... <-- the stagnation on Linux user-friendliness: disagreements between developers

  13. Re:This definately is a shortcomming in linux dist by Spy+der+Mann · · Score: 1

    You either get a good method for a few outdated packages, or you get a great system that takes forever to compile packages.

    Compiling? Who's talking about compiling?

    Oh... it's Linux. You HAVE to compile. -.-

  14. Makefiles by sjames · · Score: 1

    I frequently need to package software up for distribution, and have seem bith increadibly easy and next to impossable.

    Please please please do NOT make the build system more complex than the app being installed! Inside every 200 line monument to bogosity is a 10 line makefile trying to get out. I'm not kidding. I realise there are a few cases where it's justifiable, but those are a lot less common than people seem to think. When it's easier for a package maintainer to throw the makefiles away and copy in a new one, the line has been crossed.

    Seperate the prefix for buinding and the one for installing. Most package systems want to build using the normal system prefix (so any compiled in defined paths will work), but need make install to actually put the packages in a different tree to be packaged up rather than in the system. That is, /usr/bin/app goes into /var/tmp/app/usr/bin/app.

    The easiest way is for the makefile to allow for 'make install_prefix=/var/tmp/app install' or even 'make prefix=/var/tmp/app/usr install'. Makefiles that do some final fixup based on the prefix are totally fubar for this case.

    Related pet peeves include a 'stable' package that has dependancies on the CVS version of some library. If your depoendancies aren't stable, neither are you! Similarly, the more dependancies you have, the more important it is to not require the latest sub-sub-sub minor version of those dependancies. I needed to install subversion on a year old system, and it was actually easier to wipe and re-install the whole system than to update the dependancies (and their dependancies).

    In turn, if you export an API, and it changes enough that a dependant program must be coded for either this version or the last (not both), that calls for a major version number bump. Keep in mind that not every maintainer is holding their breath waiting to do a major re-write for your new API, so it will be best if both major versions may be installed concurrently for a while.

    Just to be fair all around, packagers that just have to check the latest version out of CVS implicitly agree that all of the above bets are off. There's a reason it's not yet available as a stable versioned tarball.

    </soapbox> There, I feel better now :-)