[packaging] Meeting next week to discuss trusted third-party repositories

Jeff Johnson n3npq at mac.com
Sat Dec 20 09:51:13 PST 2008 

On Dec 20, 2008, at 12:23 PM, Denis Washington wrote:

> Jeff Johnson wrote:
>>
>> On Dec 20, 2008, at 10:02 AM, Denis Washington wrote:
>>
>>> Tortanick wrote:
>>>>> The very last thing ISVs want is yet another package format.
>>>>> - Dan
>>>>>
>>>>
>>>> I was under the impression that they didn't mind witch package  
>>>> format
>>>> providing there was a single one that they could support and be  
>>>> done with it.
>>>>
>>>
>>>
>>
>> < ... yet another package format design snipped ...>
>>
>>> If I overlooked some fundamental issues, please tell me.
>>>
>>
>> The mechanics of wrapping up {content,scripts,metadata}
>> in a container are not very hard to achieve. Your approach
>> is as good (or bad) is every other container around.
>>
>> The hardest packaging issue is semantically defining package  
>> metadata and how the
>> metadata is to be used by installers and packagers and users and ...
>
> Well, the metadata would be:
>

Good. Below are hysterical comments from well traveled pathways:

> * The package name and provider, for identification and base  
> directory identification (/opt/provider/name).

Do names/providers have to come from a registry or not?

Are you going to enforce "/opt/provider/name" prefixing for paths?
If names/provider/paths are not enforced, then how does one handle the
very predictable name/provider/path collisions that will arise?

>
> * The package version, to be able to determine if a newer version is  
> available (for updaters).

You need to make "newer" decideable. for that matter, "available" as  
well.

>
> * The package architecture, to check binary compatibility with the  
> system to install on.

architecture and abi are very different issues. nothing wrong with  
specifying them at all.

>
> * The required LSB version (and modules), for the same reason.

There is no "required" until there is a specification of "required"  
and a
mechanism for determining what is "required" (or not).
ditto for "version" and "modules" for exactly the same reasons.

>
> * The URL of an update feed file, to check for new versions (in  
> combination with the version data).

All of "URL", "update", "feed", "new", "versions", "combination" and  
"data" are not specified.

>
> * The paths of the installed files and directories, plus their  
> permission modes, for associating the files with the package, and to  
> inform the user in case files are installed outside of the "trusted"  
> directories.
>

Ditto (presumably I don't have to list all the details, but a LSB  
packaging standard will have to).

> As far as I can see, this is all metadata that is required for a  
> third-party application. I for my part wouldn't need anything else  
> at least. The only possible useful addition to this list may be the  
> package files' md5 or sha1 sums for data integrity checks, but this  
> is not a requirement. All other metadata found in other formats as  
> RPM or DEB are more of interest for base system distribution  
> maintainance as far as I can tell (for instance all package  
> relationship metadata like Requires, Replaces, Epoch etc), and don't  
> seem to be needed for self-contained third-party packages.
>
> So, for third-party packaging needs, we have a very small and well- 
> defined set of metadata IMO. I hope I haven't misunderstood your  
> definition of "defining the metadata"; correct me if I'm wrong.
>

Truly, this is a good start. No place in your suggestion have you  
mentioned "format" of packages,
and there are no API/ABI methods being proposed, nor are there any  
defacto definitions, e.g.
	just like 0install/deb/installshield/klik/rpm/klik/...

I'd suggest adopting some conventions for specifying metadata  
concretely.

Note that specification != representation, one has to avoid __ALL__
existing packaging implementations in order to hammer out packaging
metadata semantics and committing to __ANY_ representation of package
metadata that may be distributed.

But sure there's *LOTS* of defacto examples for guidance around,  
examine any existing
package manager implementation for assistance in specifying LSB  
package metadata.

But it __MUST__ be a "LSB Package" standard first and foremost and ab  
initio to
succeed imho.

73 de Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4664 bytes
Desc: not available
Url : http://lists.linux-foundation.org/pipermail/packaging/attachments/20081220/1ebaffe3/attachment-0001.bin

More information about the packaging mailing list