A Windows-Based Packaging Mechanism

FishWithAHammer writes "As part of my Google Summer of Code project, I'm working with WinLibre to develop a Debian-like software download system for free/open source software on the Windows platform. My reasoning is that open source software suffers from poor presentation. Most computer laymen, even those aware of open source software, often don't have any idea how to go about looking for it, but would use it if it were easier to access. What I have proposed is both a Debian-style packaging mechanism (capable of using Windows Installer MSIs or not, as the user wishes) and a software 'catalog' that takes the best aspects of Synaptic and Linspire's Click-N-Run system. Seamless, simple installation and removal of programs in as straightforward a way as apt-get (there will be a command-line tool as well). I'm posting to Slashdot to get the ideas of you lot who, while you may not be the target audience, can certainly provide insights that can be of value." Read on for more of this reader's ideas and questions.

There are areas that I'm personally not familiar with, and while I have done some research I would like the opinions of Slashdotters on some others. While at first I intend to set it up so that WinLibre (and I) run only one repository, I am curious as to how this sort of tool could be most useful to network administrators. Customizable repositories will be available; the code will be under the GPL, after all, so it'd be a little hard for them not to be available.

I'm also interested in the ideas of those who might be in a position to roll together packages. I intend to package a number of open-source language interpreters with the core software to allow special pre- and post-install scripts, as well as removal scripts. C#Script, Perl, and Python are definites, as is a Cygwin sh interpreter. We will have some program requirements — chief among them that no registry changes may be made by the program — but some of them, I fear, will require some flexibility; some programs really do require a way to edit the registry, for example, and I am considering offering some sort of tracked way to make registry changes so they can be rolled back on uninstallation of the program.

I'd love to hear what Slashdotters think of this. Think of it as a wishlist, but you don't get any damn ponies.

Ed Ropple (FishWithAHammer)"

Security, security, security.

[MythMoth]

Do not let this become a new attack vector.

Here's a concept I'd like to see

[DaleGlass]

That packages provide functionality. This is already done in the form of virtual packages like web-browser, but I'd like to go further.

For example, the current system is that OO Writer and KWord are in the "word processor" category. But what if I want something that can open AmiPro documents? What options do I have there? That's generally not included anywhere in the package's description.

I found this weird .pcx file, and have no clue what is it, what can I open it with?

Or, what music player has the ability of playing .s3m files?

What mail clients can I choose from if I'd like both NNTP and IMAP support?

What programs are available that do some function that is related to an HP nx5000 laptop? (this would match programs controlling LCD brightness, support for the onboard bluetooth, etc)

A nice thing would having these capabilities roughly grouped as "can access" (can play .s3m files) and "fully implements" (can create .s3m files).

ReactOS compatibility

[lobotomir]

So, in theory this should work with ReactOS when they are both finished, right?

Not sure

[Mostly+a+lurker]

Superficially, this seems an interesting project. I think, though, the problems with managing open source software on Windows are going to be very different to those on Linux: possibly to the point where what you can achieve will be limited.

The first issue that occurs to me immediately is that Windows has no single suitable native package management system that you can hook onto. Because of this, program installations tend either to (i) include whatever prerequisites they need and check whether their installation is necessary; or (ii) list the prerequisites in the installation instructions and leave it up to the user to ensure they are satisfied. Now, you might say that the whole point of the project is to resolve this, but I think you are going to run into licensing problems when you try. Let's say a particular open source product relies on .NET Framework 2. Are you then going to include .NET Framework 2 in your repository? Are you going to download it from Microsoft, using Microsoft's Download Center as a kind of adjunct repository? Are you going to talk to Microsoft to see if they will cooperate in working out a solution? This seems hard.

I do think that a single starting point for finding quality open source solutions on Windows has merit. Right now there is a bewildering mass of products out there, and no easy way of sifting the gems from the dross. If nothing else, you might be able to provide a good menu of open source products that are deemed worthy of consideration.

Good luck!

Considerations about multiple repositories

[maxwell+demon]

One thing I think shopuld be considered from the beginning is how to handle multiple archives, which may be independently maintained. Sure, the basic operation is simple: You add a new URL to the list of archives to search, and then you can see the contents of those archives. However that's not all there is to archives:

1. How do you find additional repositories?
2. How do you find out if a given repository is trustworthy?
3. What to do if several repositories contain packages for the same application or library?
4. What about version inconsistencies?

Points 1 and 2 can IMHO be (mostly) solved together through a "repository web": Repositories not only contain packages, but also links to other repositories. Those links should also be rated, so you get a web of trust for repositories: You can mark several "root repositories" as trusted or untrusted (those settings should, of course, be user-changeable). Then trust would "propagate" through links marked as trusted, or "anti-propagate" through mistrust-links. One could even imagine "repository hubs", repositories which don't contain files, but only links to other repositories together with trust ratings. It might also be a good idea to have several trust ratings for the contained files, and for the contained links (after all, you can well imagine an excellent file repository where the maintainer isn't able to accurately rank the trust on inter-repository links).

For points 3 and 4 I don't have a suggestion right now, but they definitely should be considered (note that separately maintained repositories will almost certainly cause inconsistencies at some point).

Of course you can just pretend that there will always be only one repository, or that all repository providers will work together to avoid inconsistencies, but I think that's not really a good idea. Additional independent repositories will eventually come (assuming the project is a success), and therefore the problems caused by those should definitively be anticipated, even if originally there's only one repository.

Updates system for OSS

[pubjames]

I have been thinking about this recently.

I have lots of applications, both OSS and commercial, that have some kind of update system built in - the application checks for an update when you start it, for instance, or when you select the option from the help menu. In fact it is getting to the stage where practically every app. has this.

What I would like to see is a single open method of doing this which could work for all applications (so even commercial software providers could opt into it if they wanted), which would be simple and secure. It would be great to have a single application open that ran at start-up that said: "The following applications have updates available:" and then lists the applications, and two buttons "Update all" and "Advanced" which would allow you to see details about the updates and select just the ones you want.

For instance on my Mac I have:

1) The Official Apple "Software update" that updates OSX and Apple Apps.
2) The Adobe updater for Photoshop, Dreamweaver etc.
3) The Firefox/Thunderbird updater
4) Dozens of updaters for individual apps like TextMate and OSS software
5) Updaters for OSS packages (Fink/darwinports)
(Yes, I know about the App Update widget but that only addresses part of the problem, and it does not provide a technical solution that can be used across platforms and projects).

And on Windows, I have the same kind of mess of updaters.

I'm sure there could be a simple, elegant technical solution for this, a kind of RSS-type standard for application updates - you could then choose your prefered updater just as you can now choose your preferred RSS reader.

Re:It's the package selection process

[salec]

The idea is well understood and frequently restated but it is not realistic scenario.

Like someone said up in the thread, there is no way to prevent anyone porting nice OSS app to non-free OS. Therefore, users will virtually never feel the urge to switch over to Linux because of a "killer app(s)".

When (or if) massive switchover happens, it will be only because Microsoft tried to squeeze users too much and they found they lose nothing important if they switch.

In other words, blurring the border between the two by porting Free Software on proprietary platforms, making users gradually adapt to environment they would find in Linux, makes user migration to it more probable, in fact as probable as realistically possible. Side effect would be pushing the shareware producers out of the Windows market by pressure of irresistible competition, which in turn would decrease number of developers for that platform and at the same time force Microsoft to "deal with devil" and try to play nicer with FOSS side and users.

Re:MSI

[MobyDisk]

I thought this too.
But MSI doesn't do what the Linux/BSD packagers do. These packagers work by tracking every single file or update done to the entire system. Then they track dependencies between files and packages. They store all this in a database format, which allows you to ask questions like "what is every package that uses MSVCRT71.DLL? And "what will break if I update package GIF_VIEWER from version 1.0 to version 1.1?" They also manage side-by-side installs, provide a central repository for searching for packages and upgrades, and provide a safe digitally signed repository for applications.

This is one of the killer features of Linux that I miss on Windows. But I suspect it won't work for the same reasons it doesn't work on Linux. It's only useful if 100% of the applications use it. If any one of them doesn't, then the whole system can come crumbling down. But basically, it is a fix to DLL hell, so it can't make things on Windows any worse.

On a note of MSI, MSI may seem to do the above, but it doesn't. It's a packaging format, and it allows for install and rollback much like the Linux packaging systems do. But most of the time it is unrealistic to expect the repair/rollback/uninstall features to actually work. I've worked at a few companies who have made MSIs, and generally you take some other EXE or script-based installer, then you wrap it in an MSI and say you are done. You rarely use the actual MSI features because they are too complicated and the tools don't generall support them. And Windows installs are full of kluges like editing a registry key here, adding a shell extension there, etc. Things generally don't fit into the nicely packaged mentality.