Forgot your password?
typodupeerror
Open Source Software Windows Linux

0install Reaches 2.0 61

Posted by timothy
from the whole-and-even-and-prime dept.
tal197 writes "Zero Install, the decentralized cross-platform software installation system, announced 0install 2.0 today after 2 years in development. 0install allows authors to publish directly from their own web-sites, while supporting familiar features such as shared libraries, automatic updates, dependency handling and digital signatures. With more than one thousand packages now available, is this finally a viable platform?"
This discussion has been archived. No new comments can be posted.

0install Reaches 2.0

Comments Filter:
  • Over 1000?! (Score:5, Funny)

    by L4t3r4lu5 (1216702) on Tuesday March 05, 2013 @11:24AM (#43078853)
    That's 1/9th any kind of milestone I will accept as important or impressive. Come back later.
  • by Anonymous Coward

    Something about calling your installer platform "Zero install" seems disingenuous. :)

    Though the summary mentions something I've been thinking a lot about lately, and that's shared libraries. 99.5% of the time when I have trouble getting something to work in linux it comes down to a nasty spaghetti-like mess of libraries and their recursive dependencies. Sometimes some pieces of software have difficulty coexisting because they depend on different versions of supporting libraries.

    I understand that a lot of pa

    • by iroll (717924)

      So apps from the App store don't use the shared libraries provided by the operating system? Which are updated by the operating system's update utility? News to me.

    • Re:What a name (Score:5, Interesting)

      by Jeremi (14640) on Tuesday March 05, 2013 @01:50PM (#43080781) Homepage

      I understand the benefits of shared libraries, but storage space is dirt-cheap today and I think a lot of problems might be solved simply by letting lots of pieces of software bundle their favorite versions of dependent libraries.

      Or, how about this: Instead of linking to shared libraries by their filenames, applications specify the shared libraries they'd like to link to via md5 hashes of the libraries' contents. The linker checks its shared-library database-index (which could just be a directory whose directory-entries are md5 hash codes) to see if it has a shared library with that md5 hash installed; if yes, it links the application process to it; if no, it auto-downloads the shared library with that hash from the web repository, installs it, and then links the application process to it.

      The advantages would be:

      No library collisions, ever (well, to the extent that md5 hashes are unique, anyway).
      No version mismatches, ever (each app will always run using the libraries it was built against, and no others).
      No mucking about with LD_LIBRARY_PATH (as all shared libraries are auto-stored for you
      No manually installed missing libraries (they will instead be installed as necesary, on demand)
      No space wasted by multiple copies of the same library present on your disk at once

      Some possible disadvantages:

      No way to "patch" behavior of multiple applications by upgrading only a shared library they link to (you'd have to upgrade each of the applications instead, so that they reference the new library version's md5 hash)

      Possible security issues from auto-installing shared libraries with malicious code (although arguably you either trust a developer enough to install his program, or you don't; the mechanics of how different parts of the program are installed aren't necessarily relevant)

      • by tal197 (144614)
        To get the hashes of the latest compatible versions, you could use 0install. e.g. to find the hashes for the dependencies of the SAM program:

        $ 0install select http://www.serscis.eu/0install/serscis-access-modeller
        - URI: http://www.serscis.eu/0install/serscis-access-modeller
        Version: 0.16-post
        Path: /home/tal/work/serscis-access-modeller/serscis-access-modeller-any-any

        - URI: http://repo.roscidus.com/java/iris
        Version: 0.6.0
        Path: /var/cache/0install.net/implementa
      • This defeats one of the "selling points" of using a dll. When functionality improves, the library is updated and all consumers of that library benefit from it. Locking in a specific version via hash would be functionally no different than just statically compiling the library into the binary. Then what is the point at all?
        • by Jeremi (14640)

          This defeats one of the "selling points" of using a dll. When functionality improves, the library is updated and all consumers of that library benefit from it.

          Yes, you're quite right, but that's a tradeoff that might be worth making. Upgrading a shared library that an application already is using is a risk, since after the upgrade you are running an application in a configuration that its developer never tested against. Better perhaps to have the developer upgrade his application to the new version of the shared library, let him test it thoroughly, and then when he has released his new app version, download it (at which point it would auto-download the new shar

        • by Yfrwlf (998822)
          With Zero Install the packager can make the dependencies be whatever they want includiong the version numbers. If they didn't trust a library to not break things, they could even set the version == (require only that version and no other) if they wanted. The user can also force different versions to be used than the recommended one in case they ever disagreed with the packager.
      • by KiloByte (825081)

        ... no security fixes to libraries, ever.

        Just read the recent discussion about including golang in Debian. Pretty much just its promoter considered introducing a compiler with no support for proper dynamic libraries to be acceptable, and dynamic libraries accessed via hash are effectively static for all purposes other than disk/memory usage.

        If there's a bug in libpng, what do you do? It has thousands of reverse dependencies, many directly and yet more transitively. A good deal of bugs there can be exploi

    • by CastrTroy (595695)
      I very much agree with this. The programs (which weren't included with the distro) that I've had the least problems installing on Linux were the ones that thrown in everything in the installer and use all their own libraries. Anything else just leads to dependancy hell. Once, I was trying to install a new version of MySQL server, and couldn't install it because it wanted a newer version of the MySQL client library than what KDE was using. To remove the existing MySQL client library in order to upgrade, I w
      • Seems you weren't using your distro's packages. If so, you could have installed the new version of MySQL client and server to another path, /opt perhaps. Or did i miss something?

  • Slashvertisement? (Score:3, Informative)

    by UnoriginalBoringNick (1562311) on Tuesday March 05, 2013 @11:34AM (#43078945)

    As the third of tal197's four slashdot submissions was entitled "Zero Install Project Makes 1.0 Release" [slashdot.org], can I assume this is just an advertisement?

    • by Anonymous Coward

      Not to mention that the hyperlink making up his username in that story leads directly to the Zero Install website...

      Plus, isn't Slashdot supposed to be a news *aggregator*? Nothing in this story leads to an article, just the project's homepage.

    • by Timmmm (636430)

      No; 0install isn't a commercial project.

    • The best kind of ad, in my opinion. One of the reasons I follow slashdot is to learn about new developments in IT.

      A succesful project needs to attract enough developers to keep it going, and that means promotion of one kind or another. The commercial world can buy advertising. Slashdot is providing a valuable service by helping non-profit projects reach out to potential contributors and consumers.

      This project is interesting to me because it tackles a problem I'd been considering recently. I use Can

  • One look at the package list says it all.
    • Re:No. (Score:4, Insightful)

      by Timmmm (636430) on Tuesday March 05, 2013 @12:44PM (#43079909)

      I don't think it is designed to be the one-repository-to-rule-them-all, debian style. In fact I think it is partly a reaction to the fact that that model doesn't work well in many cases.

  • by loufoque (1400831) on Tuesday March 05, 2013 @01:14PM (#43080279)

    The technology is interesting. It's fully decentralized, works even on Windows, offers Mac-style drag and drop images, uses a full SAT solver for dependency resolution...

    What it needs is better marketing.

  • Installs ok, haven't tried it out yet.
    Wonder why it needs to remove "python3-aptdaemon.pkcompat" if it says it does its stuff without messing about with a system's libraries, tho.

    • by tal197 (144614)

      I have an idea the .deb package recommends "packagekit". If that conflicts with "python3-aptdaemon.pkcompat", I guess your package manager might offer to remove it. You could try using --no-install-recommends.

      If you try to install a program that needs a library that is only available through your distribution, then 0install will offer to install it using PackageKit, if PackageKit is available.

The cost of feathers has risen, even down is up!

Working...