Edgy Third Party Package Management

[Stephan Hermann]

On Monday 05 June 2006 16:56, Jerry Haltom wrote:
> > The problem is not the distribution, the problem is: Who is
> > packaging the software in a clean and trustable way and who is
> > providing the repository and last but not least, who is responsible
> > if this package is destroying my system.
>
> These are addressed by being specifically unaddressed in the WIki
> page linked by the spec. This is not feasible nor desirable.
>
> If you install software from an ISV, you trust the ISV to provide the
> software. There is a one time "Yes, I trust the ISV known as Foo.
> (along with key Bar)". Beyond that, it is up to the ISV to deliver
> whatever they want.

If I install a tarball or shar archive from ISV and this breaks my 
system, it's my personal fault.
Installing a native package for <insert distro package manager here> 
it's not my fault, because (if I would trust ISVs and upstream source 
provider to know anything about packaging for distros) they provide me 
with softwareX_0.1.0-0_i386.deb or whatever, which I eventually paid.

> Centralized signing/packaging is overcomplicated, puts Canonical in a
> position I assume they don't want to be, and is also unreasonable to
> expect ISVs to do. It is a non-starter.

Who knows? But central packaging and signing can be done by any other 
company who Canonical trusts and especially the ftpmaster of Ubuntu is 
trusting.

> > ISVs shouldn't package software (package != tar.gz) and they won't
> > do it, because then they have to provide at least 3-5 different
> > packages for the big package managers (RPM, DEB, PKG, etc.) and
> > after all they have to provide different packages for any distro
> > out there. We can see what happens if an ISV is doing this:
> > Example: Skype
>
> They won't do this because we don't push them to do so. If there are
> potential customers using Ubuntu that they want to reach, they WILL
> package it properly to appease those customers. Or they won't, and
> will lose their business.

Well, Ubuntu is not the first distro who tried to push. SuSE (without 
Novell) and RedHat tried it, and no ISV ever packaged RPMs for 2 these 
distros. All RPMs on earth are selfmade by person X or Y.


> We define a specification and a set of documentation for creating
> Ubuntu packages, and ISVs will invest the man power to implement
> them. My proposal is of course only one side of this, the delivery
> mechanism.

ISVs won't put money in this work, because an admin can easily install 
even tar.gz or something else, and if they package for one distro, the 
other distros are coming and want that feature, too, which costs more 
money for the ISV.

The distribution of packages is/was as well discussed, and Michael Vogt 
invested some time into this feature for apt (afaik, mvo, your call). I 
think the only question which is not answered is "rollback of an 
installed package to the old package" (the easy way).

regards,

\sh
-- 
St. Hermann
SysAdmin and Linux specialist
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20060605/d1fae26f/attachment.pgp