[packaging] Meeting next week to discuss trusted third-party repositories

Peter Dolding oiaohm at gmail.com
Sat Dec 27 22:05:13 PST 2008


On Sun, Dec 28, 2008 at 3:13 PM, Dan Kegel <dank at kegel.com> wrote:

> On Sat, Dec 27, 2008 at 7:19 PM, Peter Dolding <oiaohm at gmail.com> wrote:
> > Berlin one of the
> > few things that has passed a vote yet not implemented for installing
> > applications included at least some basic support for using Distribution
> > installed run-times and for installer to install outside runtimes if
> > required.
>
> Berlin was dreamed up by a bunch of guys in a room at a
> meeting a while ago, trying to make ISVs happy.
> It was an attempt to make installation scripts *more* powerful.
> I think it's more promising to make them *less* powerful.
>
> I don't consider Berlin part of the mainline packaging system.
> - Dan
>
Remember neither is your solution Dan.   Difference here
http://www.linuxfoundation.org/en/ProjectPlan40 read roadmap.  Berlin is on
it for next release.   Yours is not dan.  You have to make a valid case to
push it off the roadmap and replace it.   Being a poor grade replacement
lacking pieces no way should it be treated kindly.

Notes around berlin move forward to roadmap applies to what you are trying
to do.  "A sample implementation was contributed.  However, we're not going
to meet the "shipping everywhere" criteria, so this item will have to be
pushed out to next release. "  Yes the code for berlin base implementation
exists.   Yes the "shipping everywhere" criteria is a old criteria of LSB
that is not meet yet so all packaging solutions need to at least have some
plan to achive that.  RPM's was that in time all distributions would accept
it so shipping everywhere criteria would have been meet.   Sorry once
bitting twice shy this time around solution must have a plan that will work
without distribution assistance.   Berlin has a plan for "shipping
everywhere" criteria.

Other than the decide to delay Berlin in the hope that a better solution
would be developed it would be part of LSB 4.0.   So no its not in mainline
yet but its your competition.   Berlin is the benchmark solutions have to
beat.  Failure to beat Berlin basically sees your solution not taken and
Berlin in LSB 4.1.

Berlin is more powerful on one hand less on another.  You are right Berlin
is about protection so all system wide alterations have to go threw a
approval and can be rejected.    Executable running in a limited user can
alter the construction of the package to suite the system its matching up
to.  Installation nothing ends up really running as root without approval of
the Berlin system.   So no damaging other packages.   Its model deals with
the script issue as well.   Simply does away completely with all scripts
directly running as root.   So alterations have to go past approval.

Really Berlin is no weaker in what it can do just lot more secuirty
preventing installer caused damage.   Think about it if a rpm with rm -rf /*
init script slipped through because user allowed application to be installed
user would be badly hurt.   Containment for scripts running under rpm is
critical if it remains LSB standard long term.

This is the important thing you are forgetting RPM and current LSB Packaging
instructions is a interim solution so nothing says that it will exist in LSB
in 5 years time Dan if its problems cannot be fixed.   Reason it currently
fails the "shipping everywhere" criteria.   When they say everywhere they
really do mean every Linux Distribution in existance and even onto solarias
and freebsd and other OS that have a Linux compadiblity layour.

So yes lot of areas you need to catch up to Berlin to even stand a chance of
replacing it.  Secuirty of Berlin model beats RPM hands down.   Are there
areas where Berlin could be improved yes there are.   Like some form of
trusted source system and neater upgrade system.

This is why you are getting walled Dan by me.   Your solution needs lots of
work to get upto a equal solution to Berlin.  What is being put forward is
missing key sections for me to go ok good enough passes the needed
criteria.  Now of course I would love better than Berlin.   Personally think
Berlin is going to be a mantaince nightmare due to using installers and the
like to update itself.   Another reason why it was delayed for 1 more
release.   Basically the clock is ticking for a solution the shipping
everywhere criteria to be developed without it we all have to live with
Berlin.


Peter Dolding
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/packaging/attachments/20081228/2b05e0ac/attachment.htm 


More information about the packaging mailing list