[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New package managment

Erik <br0ke@math.smsu.edu> writes:

> I d'no if I like the sound of that :/ My computer taking off and downloading
> and installing stuff without me at the helm sounds frightening.

The script could ask you to perform each step:

Wana download Clanlib from:
        http://www.clanlib.org/download/ClanLib-0.1.19.tar.gz     [y/n]

That would be the same as performing the task on your own, it would
just at some more userfriendlyness. The autoweb script could also
create just a list of the downloaded files:

$ ./pingus.autoweb --list

> Especially considering these different packages would be gotten from
> differnet places, and the level of trust is unknown of these sites.

Thats the same case if you do it manually.

> This'd need to be run as root,

No, the autoweb script just needs to be seperated into different task:

$ ./pingus.autoweb --download
$ ./pingus.autoweb --compile
$ ./pingus.autoweb --install
$ ./pingus.autoweb --all

Maybe autobuild would be the better name, than autoweb, if the thing
performes more tasks.

> and if one of those many many sites were violated or something unexpected
> happen, this could prove detrimental to the machine. A common lib could be
> injected with a trojan by malicious crackers or admins...

As said, same when you download it manually. Nobody could stop me from
just add some 'rm -rf /' to 'make install' in say Pingus and announce
it. I am sure nearly nobody will have a look at the Makefile before
doing 'make install'.

> Also, what happens if clanlib says "needs hermes > xx" but hermes gets another
> release that breaks some stuff? 

Than the script could output a message like:

| ClanLib requires hermes 1.1.2, but that was not found, download 1.2.0
| instead [y/n]

and if the compilation failed, than print out a message with the email
of the maintainer of the package:

| Compilation failed unexpectetly, please report this at a bug to:
| musti@mustermann.org 

> then this script fails horribly, and the user thinks linux just
> doesn't have its shit together cuz of it

If the user downloads all himself, it will still fail, so its wouldn't
hurt anybody.

                                  http://dark.x.dtu.dk/~grumbel/pingus/ | 
Ingo Ruhnke <grumbel@gmx.de>             http://home.pages.de/~grumbel/ |