Slashdot Mirror

← Back to Stories (view on slashdot.org)

CDE — Making Linux Portability Easy

Posted by timothy on from the namespace-collision dept.

ihaque writes "A Stanford researcher, Philip Guo, has developed a tool called CDE to automatically package up a Linux program and all its dependencies (including system-level libraries, fonts, etc!) so that it can be run out of the box on another Linux machine without a lot of complicated work setting up libraries and program versions or dealing with dependency version hell. He's got binaries, source code, and a screencast up. Looks to be really useful for large cluster/cloud deployments as well as program sharing. Says Guo, 'CDE is a tool that automatically packages up the Code, Data, and Environment involved in running any Linux command so that it can execute identically on another computer without any installation or configuration. The only requirement is that the other computer have the same hardware architecture (e.g., x86) and major kernel version (e.g., 2.6.X) as yours. CDE allows you to easily run programs without the dependency hell that inevitably occurs when attempting to install software or libraries. You can use CDE to allow your colleagues to reproduce and build upon your computational experiments, to quickly deploy prototype software to a compute cluster, and to submit executable bug reports.'"

15 of 385 comments (clear)

  1. Bad idea or worst idea ever? by h4rr4r · · Score: 4, Insightful

    Great, now we can have outdated exploitable libs and every other kind of BS that comes with this. Might as well just statically link everything. Package mangers exist for a reason, use them. Do not bring the errors of Windows to us.

  2. Re:Party like it's 1988 by h4rr4r · · Score: 5, Insightful

    Wow, static linking, did anybody for even a second think it is kinda weird to have the same lib on the machine over and over and in every old exploitable version you can find?

  3. Re:Isn't that three-letter acronym taken? by h4rr4r · · Score: 4, Insightful

    That method guarantees security problems. Applications and their dependencies should be managed by a proper package management system.

  4. Re:Isn't that three-letter acronym taken? by Haeleth · · Score: 4, Insightful

    I am still waiting for Gnome or KDE to catch up with the efficiency and usability of these older environments.

    KDE is getting closer now that it's possible for the desktop menu to present a list of applications rather than a handful of useless wallpaper-changing commands, but both major environments seem to be stuck on the stupid Windows 95-derived taskbar paradigm. Give me spatial management of running applications dammit! I want to develop muscle memory, not scan slowly across a list of tiny icons that are never in the same place twice.

  5. Re:Party like it's 1988 by Haeleth · · Score: 4, Insightful

    That would all be nice if not for each program replacing shared libraries with its own and breaking the other programs.

    Do, please, show me just one widely-used program that does this on a recent UNIX or Unix-like platform.

    A program should not disturb the system or mess with its libraries.

    Right. That's why you should put programs you install under /usr/local, not straight under /usr. Or of course many programs like to be installed in their own self-contained directories under /opt, which is, er, basically exactly what you're asking for and has been common practice for decades.

  6. Re:Isn't that three-letter acronym taken? by countertrolling · · Score: 4, Insightful

    I prefer to avoid the disagreements over what is a "proper package management system". In fact with each program in its own "sandbox", protected from each other, I see better security.

    --
    For justice, we must go to Don Corleone
  7. Re:cross distribution compatibility by icebraining · · Score: 4, Insightful

    Firstly, you don't need 5000, you need 4 or 5 for the most used distros. Ubuntu, Fedora, OpenSuse, Debian and Red Hat. Let the others figure it out from a tar file.
    And if a company like Skype can produce those packages, so can e.g. Adobe.

    Secondly, that already exists.

    --
    Dilbert RSS feed
  8. Re:Isn't that three-letter acronym taken? by h4rr4r · · Score: 3, Insightful

    It is also sure to piss off users who now have to have another Documents directory for each application.

    Else my bad application could edit a document that another application that relies on an old outdated insecure library uses.

    I am starting to think you are not thinking this through.

  9. Re:Party like it's 1988 by Kjella · · Score: 4, Insightful

    For packages provided by the distro, it makes sense to have them all use their complex dependency tree. For installing some other version side by side, this sounds like a great tool. The problem with dependencies is that often a pebble turns into an avalanche by the time you're done. If you want the new version of *one* KDE app, it can drag pretty much the whole of KDE and every library they in turn depend on with it in an upgrade. I've had that happen and ended at 450MB to download and install, and that would pull almost all packages out of LTS support.

    From the user's point of view it's completely illogical to upgrade the whole system just because you want a new feature in amaroK 2.4 while your distro only packages 2.3, you expect one application to install or upgrade independently of any other application. That does not happen with Linux. It is not just about new library versions, via dependencies you pull in unwanted version upgrades. As for security I'd rather have one potentially insecure package on my system than to pull most packages out of support, it probably open ups more vulnerabilities than it prevents.

    I wouldn't want to run a dozen applications like that. But if it's one or two? I got no problem taking the extra overhead of a bit more memory use. And honestly, a lot of software I use isn't in contact with the "outside world" as such. Even if there is an exploit in a library, I'd never open any file crafted to exploit it. Obviously it is good in general to patch stuff, but it's not always that critical...

    --
    Live today, because you never know what tomorrow brings
  10. Re:I really like where this is going. by Junta · · Score: 5, Insightful

    Dear god no.

    I do not want to execute installshield or any similar crap/wizard for every little thing I install.

    I do not want to have a system tray/task manager full of two dozen vendor's update checker processes, each individually bugging me about how I'm running WidgetFoo 1.8.1.20.1.3, and it is critically important that I execute WidgetFoo's custom one-off graphical update wizard with 3 or 4 pages to click through to get to 1.8.1.20.1.4. Then rinse and repeat once per app instead of knocking them out in one shot/dialog/icon/process.

    I do not want each application to bundle their ancient ass directx library or ancient library from visual studio or any other similar crap.

    Windows installs were not historically 'easy' due to any effort on MS's part (installshield and friends made an entire business out of covering for MS' lack of help, even as MSI matured into a usable solution). Linux (specifically Debian) really got this right first. Apple recognized that model and made it a great success on the iPhone, setting the tone for all of modern mobile devices. Debian did it right first and never gets the credit.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  11. Re:Party like it's 1988 by countertrolling · · Score: 3, Insightful

    That's why you should put programs you install under /usr/local, not straight under /usr.

    Not the issue. That's a given. It's when I suddenly find out I don't have some bizarre version of gtk, or ncurses (great name, because that's what I'm doing when I find it missing), and I'm suddenly without internet, it gets a bit tense. I prefer the portability over raw efficiency. It is far and away one of the best things about a Mac. I can take something as bloated as MS Office or Photoshop straight from one machine to the next.

    --
    For justice, we must go to Don Corleone
  12. Re:I really like where this is going. by bmo · · Score: 4, Insightful

    Where something like this "CDE" might be handy is for software that is not in the package manager. Suppose you've written a program that is only of interest to a handful of users. There's no way it's going to find package maintainers for every major distro, and your users might not be happy building from source code

    So do the packaging yourself. It's not hard. And when you're done, you have something sitting in the RPM or DEB database with all the others so you can keep track of it.

    There are also classes of software that are not allowed in the main repositories for some major distros like Fedora and Debian. For example, the authors of indie games might want to let Linux users play without making the whole game open source. Even if they open-sourced the engine, some distros will not permit it in the repos if its only use is to access non-free data.

    So set up your own ppa (or rpm equivalent) repository. Your customers can add the repository to their list and then keep track of the package. You seem to be under the impression that repositories are only for "approved" software or that package managers can only handle a small number of entries. I have over 150 entries in /etc/apt/sources.list. Adding another one is no big deal. You also seem to think that licensing issues affect what you can put in a repository. It doesn't matter if you have your own repo. You could put commercial software in there, like Sun/Oracle with their VirtualBox.

    Package management and repositories as they exist in the Linux world are better ways of handling the distribution of software both free and commercial than anything else I've seen on any platform.

    This "CDE" doesn't solve any problems, but introduces its own "dll hell"

    --
    BMO

  13. Re:It's About Time by ozmanjusri · · Score: 4, Insightful
    I'm not sure why you're getting "Troll" mods for this.
    1. It does allow you to have outdated and unsecure software where it is likely to be used.
    2. Windows does lack proper package management.
    3. There are better ways to achieve the goal.
    4. It isn't a good idea to turn Linux into Windows. In fact, most mainstream OSs are switching to package managers.

    Guo comes from a Windows background (He interned at Microsoft last year), so it's understandable why he might have a Window perspective. That doesn't make it good for Linux to adopt that mindset.

    --
    "I've got more toys than Teruhisa Kitahara."
  14. Re:Isn't that three-letter acronym taken? by the_womble · · Score: 3, Insightful

    Suppose a security flaw is found in a commonly used library, do you think you will get more timely security updates by

    1) the packager for that library providing an updates package, or,
    2) every single application that uses it providing an updated package

    The CDE site gives two reasons for doing this:

    1) To solve "dependency hell". This is a rare problem these days - except with Skype!
    2) To provide guaranteed reproducible results for researchers. This is a specialist concern, and not necessaries a good thing - it means that results that are the product of a bug in a particular version of a library will be duly reproduced.

  15. Re:Use a package manager by Bert64 · · Score: 5, Insightful

    Generally linux distributions follow a fairly standard naming/location convention for files, most of the variations exist in specialised linux distributions (eg android) where there is good reason for the differences.
    Most software also allows you to choose where to install it at compile time, although the default will usually be /usr/local.

    A linux system is often far less messy than a windows system for instance, where all kinds of files are under the windows and system32 dirs.

    Package managers are actually a very good solution to many problems, not only do they handle dependencies but they provide a centralised database of installed software, a file integrity database (both on the system - storing checksums of everything, and off system because the checksums corresponding to a given package versions files are known), clean removal of software, a single place and standardised interface for installing software (thus removing the need to download programs from potentially untrustworthy websites - you only have to trust your os vendor, not hundreds of third parties) and most important of all, a centralised update mechanism for applying important security patches to all of your software...

    Other software vendors have chosen different methods to try and resolve the same problems, but most of them are lacking in one way or another, or make different compromises...

    The OSX method of program bundles avoids dependency problems, but introduces the inefficiency of reducing code sharing, this has less impact on closed source software where code is rarely shared anyway, but for open source one of the key advantages of the open development model is reduced by this approach. On the other hand, this method does provide clean removal and makes it easy to have multiple versions of something installed.

    The Windows method is rather chaotic, individual programs are expected to create their own installation and removal programs as well as handle their own update mechanisms, this has resulted in a whole range of software which behaves in different ways, stores files in different places etc... Update mechanisms and uninstall routines are down to the individual application and may not exist at all, or may not work correctly. This has resulted in lots of very poorly behaved software which assumes you are a privileged user and can write to system locations, and subsequently in order to retain compatibility microsoft have been forced to implement all kinds of dirty kludges to make such applications think they are able to write to system dirs when they can't.

    The only potential downside to the linux system, is that application suppliers don't have a fixed list of system libraries which will always be present. Under OSX or Windows you know that a core set of libraries will always be there, and anything else is typically provided by the app (sometimes redundantly), whereas different linux distributions may provide different base libraries.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!