sane dependencies -- a positive look at 'fix your packages'
Andy Hanton
andyhanton at comcast.net
Sat Oct 4 18:18:23 UTC 2003
On Sat, 2003-10-04 at 14:02, Nicolas Mailhot wrote:
> Le sam 04/10/2003 à 19:58, Andy Hanton a écrit :
> > On Sat, 2003-10-04 at 13:20, Michael Schwendt wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On Sat, 04 Oct 2003 11:51:34 -0400, Sean Middleditch wrote:
> > >
> > > > Given the autopackage project, RPMs and their (possible) problems may in
> > > > the future just be relegated to low-level system stuff, which is another
> > > > solution, but one not yet ready.
> > >
> > > This one? http://autopackage.org/faq.html Doesn't look promising
> > > in the middle of the FAQ.
> >
> > They aren't the only ones working on this stuff. The zero-install
> > project (http://zero-install.sf.net/) seems to be trying for a more
> > interesting solution. They actually link software to libraries using a
> > caching http filesystem. For example, an application that needs gtk2
> > would link to /uri/0install/www.gtk.org/gtk2/libgtk-x11-2.0.so. So it
> > doesn't need the funny hacks autopackage uses to detect what the user
> > has installed. The user can double click the application and all the
> > dependencies are downloaded automatically and doing so never breaks
> > anything else on the system.
>
> And how do you trust the result ?
> RPMs at least are signed.
I would assume that the daemon that runs the /uri filesystem would check
signatures on downloads. I don't think it does yet but there is no
reason that it couldn't. Some effort would be necessary to set up a web
of trust so that the user didn't have to decide if the keys were valid.
I believe that the zero-install system actually downloads the contents
of directories as tarballs, so the could just sign the tarball for each
release. I don't really see how that is any worse than what rpm
offers.
There is already a per user daemon in the system responsible for
displaying download progress bars and stuff. If the signature checking
failed it could present the user with a nice dialog saying that the
software couldn't be run.
--
Andy Hanton <andyhanton at comcast.net>
More information about the fedora-devel-list
mailing list