[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: sane dependencies -- a positive look at 'fix your packages'

From: Andy Hanton <andyhanton comcast net>
To: fedora-devel-list redhat com
Subject: Re: sane dependencies -- a positive look at 'fix your packages'
Date: Sat, 04 Oct 2003 14:18:23 -0400

On Sat, 2003-10-04 at 14:02, Nicolas Mailhot wrote:
> Le sam 04/10/2003 à 19:58, Andy Hanton a écrit :
> > On Sat, 2003-10-04 at 13:20, Michael Schwendt wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > On Sat, 04 Oct 2003 11:51:34 -0400, Sean Middleditch wrote:
> > > 
> > > > Given the autopackage project, RPMs and their (possible) problems may in
> > > > the future just be relegated to low-level system stuff, which is another
> > > > solution, but one not yet ready.
> > > 
> > > This one?  http://autopackage.org/faq.html  Doesn't look promising
> > > in the middle of the FAQ.
> > 
> > They aren't the only ones working on this stuff.  The zero-install
> > project (http://zero-install.sf.net/) seems to be trying for a more
> > interesting solution.  They actually link software to libraries using a
> > caching http filesystem.  For example, an application that needs gtk2
> > would link to /uri/0install/www.gtk.org/gtk2/libgtk-x11-2.0.so. So it
> > doesn't need the funny hacks autopackage uses to detect what the user
> > has installed.  The user can double click the application and all the
> > dependencies are downloaded automatically and doing so never breaks
> > anything else on the system. 
> 
> And how do you trust the result ?
> RPMs at least are signed.

I would assume that the daemon that runs the /uri filesystem would check
signatures on downloads.  I don't think it does yet but there is no
reason that it couldn't.  Some effort would be necessary to set up a web
of trust so that the user didn't have to decide if the keys were valid. 

I believe that the zero-install system actually downloads the contents
of directories as tarballs, so the could just sign the tarball for each
release.  I don't really see how that is any worse than what rpm
offers.  

There is already a per user daemon in the system responsible for
displaying download progress bars and stuff.  If the signature checking
failed it could present the user with a nice dialog saying that the
software couldn't be run.  
-- 
Andy Hanton <andyhanton comcast net>

References:
- sane dependencies -- a positive look at 'fix your packages'
  - From: Andy Hanton
- Re: sane dependencies -- a positive look at 'fix your packages'
  - From: Michael Schwendt
- Re: sane dependencies -- a positive look at 'fix your packages'
  - From: Sean Middleditch
- Re: sane dependencies -- a positive look at 'fix your packages'
  - From: Michael Schwendt
- Re: sane dependencies -- a positive look at 'fix your packages'
  - From: Andy Hanton
- Re: sane dependencies -- a positive look at 'fix your packages'
  - From: Nicolas Mailhot

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]