[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New package managment

On 22-Sep-99 Steve Baker wrote:
> Bryan Patrick Coleman wrote:
>> I am considering creating a semi new package managment system for a
>> distrobution I am putting together. I know that several of the people on
>> this list are unhappy with what is currently available. What kind of
>> capabilities would you like to see go into a package managment (installer)
>> utility?
> I like autoconf/automake - what I think is majorly bad is the:
> BAD (but typical) STORY:
>    I want to run pingus (say)
>      ...I download...
>      ./configure ; make ; make install
>      ...it says I need 'clanlib'...
>      ...where is the clanlib home page?
>      ...search using Google/Yahoo/whatever...
>      I need to get Clanlib.
>         ....I download...
>         ./configure ; make ; make install
>         ...it says I need 'hermes'...
>         ...where is the hermes home page?
>         ...search using Google/Yahoo/whatever...
>         I need to get Hermes.
>           ...I download...
>           ./configure ; make ; make install
>           Whoopie I have Hermes!!!
>         ./configure ; make ; make install
>         Whoopie I have Clanlib.
>       ./configure ; make ; make install
>       Oh shit. It wants an OLD version of Clanlib...
>    ...Repeat ad nauseam.

almost sounds like an argument against using libraries :) hehehe

> You go to the Pingus site and download a *tiny* script:
>    pingus.autoweb
>    ...which checks to see if clanlib is installed and if
>    not - knows a good place to download it from - so it
>    downloads a script from the clanlib site:
>       clanlib.autoweb
>      ...which is run (automatically) - and which checks to see
>      if hermes is installed - and if not, it knows a good place
>      to download it from - so it downloads a script from the
>      hermes site:
>         hermes.autoweb
>         ...which sees that it has everything it needs, and downloads
>         the relevent tarball, untars it runs configure/make/make install
>         and returns SUCCESS...
>      ...so the clanlib tarball downloads, it runs configure/make/make
> install
>      and returns SUCCESS...
>    ....so the pingus tarball downloads, runs configure/make/make install
>    and returns SUCCESS.

I d'no if I like the sound of that :/ My computer taking off and downloading
and installing stuff without me at the helm sounds frightening. Especially
considering these different packages would be gotten from differnet places, and
the level of trust is unknown of these sites. This'd need to be run as root,
and if one of those many many sites were violated or something unexpected
happen, this could prove detrimental to the machine. A common lib could be
injected with a trojan by malicious crackers or admins... Or if a package were
moved from a system, then a fake package could be put in place of the old
one... It's too big of a security hole for my tastes, I'd be as likely to use
or advice this as I would be to putting /dev/ttyp[0-12] in /etc/securetty and
making the first line of /etc/shadow read like root::::::::

Also, what happens if clanlib says "needs hermes > xx" but hermes gets another
release that breaks some stuff? then this script fails horribly, and the user
thinks linux just doesn't have its shit together cuz of it

> Notice that if one of those packages didn't use the autoconf/automake
> mechanism, it's autoweb script can run whatever other set of commands
> are needed to build with.
> If (say) Hermes didn't subscribe to this grand scheme, then the authors
> of clanlib could have the clanlib autoweb script get the hermes.autoweb
> script from one on the clanlib site - and have it STILL grab the
> tarball.
> A good tool would autogenerate the '.autoweb' scripts from some simple
> source, it would also know about mirror sites for the tarball it'll
> download - so your main web site only has to serve the itty-bitty script
> and the user can be forced to go to mirror sites for the other stuff.
> If such a scheme were to become more widespread, it would do GREAT
> things
> for source-based packages.  People simply **HATE** following the paper
> trail to get all the libraries that a complex modern game needs.
> This would reduce the entire installation to downloading a single
> script and running it at the command prompt.  It's possible one could
> imagine a Netscape plugin that would run autoweb scripts - and hence
> reduce it to a single keyclick.
> -- 
> Steve Baker                  http://web2.airmail.net/sjbaker1
> sjbaker1@airmail.net (home)  http://www.woodsoup.org/~sbaker
> sjbaker@hti.com      (work)

        -Erik <br0ke@math.smsu.edu> [http://math.smsu.edu/~br0ke]

The opinions expressed by me are not necessarily opinions. In all
probability, they are random rambling, and to be ignored. Failure to ignore
may result in severe boredom or confusion. Shake well before opening. Keep