

The Future of Packaging Software in Linux 595
michuk writes "There are currently at least five popular ways of installing software in GNU/Linux. None of them are widely accepted throughout the popular distributions. This situation is not a problem for experienced users — they can make decisions for themselves. However, for a newcomer in the GNU/Linux world, installing new software is always pretty confusing. The article tries to sum up some of the recent efforts to fix this problem and examine the possible future of packaging software in GNU/Linux."
The five ways (Score:4, Informative)
1) Installing directly from source code,
2) Ports-based installation (where the source packages are held in a repository and can be automatically downloaded, compiled and installed), like BSDs ports of Gentoo's portage,
3) Installing from distribution-specific packages like different versions of RPM, DEB, TGZ, and other packaging formats,
4) Installing from distribution-independent binaries (most proprietary software is delivered this way),
5) Using another distribution-independent system like autopackage, zero-install or klik -- none of them gained a significant market share so far.
Re:The solution! (Score:3, Informative)
Hasn't explored other packaging methods (Score:5, Informative)
Comment removed (Score:3, Informative)
Re:The solution! (Score:5, Informative)
Using multiple package formats is great idea, IMO. I use alien on Ubuntu for those situations where the software I want is only avaliable in RPM, but as it says in the summary, new users can be a bit confused by this and building from sources is often too much. I would like to see GUI tools get the smarts to automatically figure out dependencies across all formats, allowing all distros to become package agnostic. Perhaps Linspire's CNR interace would be a good candidate for this.
Also, the option to resolve dependencies and install as a statically linked blob would be awesome for legacy stuff. I've lost count of the number of times I've wanted to install an app, only to find that it relies on some obscure version of xyz.so and won't work, so I find the source for the old version of xyz, only to find it depends on some older version of abc.so. If I could get this xyz.so, etc without conflicting with that xyz.so, create a static binary and put it somewhere under /opt, I'd be happy. I know it's not elegant, and that it uses more storage, but as a work around for difficult to support stuff, it ain't so bad when storage is cheap. Some apps I always install as blobs anyway, such as blender.
BTW, from TFA: Network Access Message: The page cannot be displayed :-(
Slashdotted
Re:Hasn't explored other packaging methods (Score:5, Informative)
Circular dependencies, aka RPM hell, is what actually prompted me to make the switch from the Red Hat family to the Debian family. I used to be a pretty die hard Red Hat user. It used to be that Fedora was the cutting edge, back in the core 2 and 3 days. I would have those days when I would wrestle with the packages, but I just took my hits and moved on. Then Ubuntu came along, and I realized how much time I was wasting with that stuff. It "just works." APT is great (it's a pity POSIX decided to go for RPM). Gentoo's portage is really cool too, but IALAB (I'm a lazy bum--if you can't reconcile the acronym, then you probably shouldn't know what the missing word is).
Re:How about we take the easy way out? (Score:5, Informative)
What pisses me off is the 32 step process to making a deb (that's what dpkg calls a package btw.. just incase you're playing acronym bingo out there). So if you want to install something you built from source, and be able to remove it later, you need some freakin' magician to have made it into a source package.. cause there's no way in hell you're doing it yourself.
What really depresses me is that debs, dpkg and apt, that's about the best anyone has done. Unless, of course, you actually like building everything from source.
Re:How about we take the easy way out?-Fallback. (Score:3, Informative)
You want "checkinstall". (Score:5, Informative)
Checkinstall http://www.debian-administration.org/articles/147 [debian-adm...ration.org]
It's not the answer to all issues regarding installing from source
Any suggestions on what would make them even better?
Re:How about we take the easy way out? (Score:3, Informative)
up2date -i [package name]
"This package will require the installation of these additional packages, accept?" Yes/No
up2date -u [package name]
"This package will require the installation of these additional packages, accept?" Yes/No
rpm -e [package name]
Already done, see above. up2date will find dependancies, dependancies of dependancies, etc. until it is done, then present you the list and confirm to install all the packages, you hit "Y" and you're done.
If you just want to check what would be a dependancy you can:
up2date --solvedeps=[package name]
which accepts a comma deliminated list of packages as well as a single package name
To verify packages installed (or package files not yet installed) you use the verify option:
rpm --verify
Which can check the GPG sig of the package file, the MD5 sigs of the files, etc. allowing you to detect any tampering or changes.
up2date --force [package name]
rpm --force [package name]
/etc/sysconfig/rhn/up2date
serverURL[comment]=Remote server URL serverURL=https://xmlrpc.rhn.redhat.com/XMLRPC serverURL[comment]=Remote server URL serverURL=https://www.centos.org/XMLRPCrpmbuild -ba
But in general major vendors provide optimized packages for various architectures that rely on heavy math/etc (kernel and OpenSSL being two of the important ones)
A total load of bullshit, and here's why (Score:5, Informative)
You padded the Mac list with the following:
Your Debian list conveniently leaves out having to click the KDE start menu, fire up a Terminal window, type in the root password, waiting while the package manager goes through dependencies, etc. What a phony comparison of steps. I could just have easily reduced OS X's step to one line of "Drag app icon to Applications shortcut" in the same the way you reduced Debian's steps.
Re:Ubuntu (Score:4, Informative)
You're not misinformed, although the author may still have a point of including it on the list of base distributions. There's a slew of Linux distributions based on Ubuntu. Still, you're right. The grandpappy of them all is Debian.
Here's a fairly comprehensive list [debianadmin.com] of these distributions.
Re:Possibly. (Score:3, Informative)
At least in the RPM-speaking world, we already have this functionality in the SRPM, though not in a formalized sense. Often, compile-time options require only very small changes to the spec, or can be given on the command line. For example, the bytecode compiler option for most freetype RPM packages falls into this category.
I believe that the set of people who want to go gung-ho securing their boxes, who know what they're doing, AND who can't be bothered to recompile packages from SRPM form is very small.
Comment removed (Score:3, Informative)
Re:Hasn't explored other packaging methods (Score:4, Informative)
So package foo depends on package bar, and package bar depends on foo.
All you do is:
rpm -Uvh foo.rpm bar.rpm
Circular dependency solved. The circular dependency 'problem' (it never actually really existed) was more of a problem of lack of good documentation than a problem with the actual 'rpm' program. However, this is a problem that was solved years ago - I haven't used a distro in the last 5 years that hasn't had a system like yum, up2date or apt which does all the dependency resolution for you.
Re:goddammit (Score:3, Informative)
Re:You want "checkinstall". (Score:3, Informative)
That option also makes it easy to set up chroots.
Re:Hasn't explored other packaging methods (Score:1, Informative)
Re:The solution! (Score:3, Informative)
note that MSIs are nothing new, office was using that system (with a stub exe to make sure the microsoft installer was installed first) from office 2000 onwards and i think win2k shipped with it as standard.
Some people seem to think that the fact that Debian does things differently from Mandriva that does it different than Fedora is what makes the distribution "special". Be that as it may, I think it's only hurting Linux users as a whole.
It is certainly a problem, trouble is the moment you get standards bodies involved progress slows to a glacial pace, distros understandablly want to be able to improve the way thier libraries are packaged to meet thier users needs.
In many ways windows represents the opposite extreme, they are only just now (with the 64 bit versions) dropping support for win16 apps, windows contains a huge ammount of cruft for backwards compatibility.
another problem is that library authors act in ways that make it very hard to build binaries on a newer system that will run correctly on an older system.
a final problem is that menu systems vary so even once you get a binary on the system in a way it will run (though i belive freedesktop.org is trying to work on getting this standardised)
tools like autopackage try to work arround theese problems but doing so is easier said than done.
Re:The solution! (Score:3, Informative)
That's exactly how Microsoft tried to solve it and why their distributed software is huge. It also has led to problems of competing dlls which are often incompatible. If you think you have dependency problems now, just wait until you implement your idea! Imagine installing 16 applications each having a dependency on 16 different versions of the same lib.
B.
Re:The solution! (Score:3, Informative)
And I agree, the solution really is to have one major package repository. How you package it isn't horribly important.
The problem is that each major distro is built using different versions of libraries with completely different toolchains, and they use different patches, etc.
That is why most repository systems won't work.
However, here is why Portage would work for all distros. Keywords.
By using "SUSE" as a keyword, it could pull the binary compiled using the SUSE toolchain if that is what you needed.
The world won't start using one distro. And SUSE can have their binary packaged in their format, and Ubuntu can have it packaged in their format, but we really, really do need one repository.
Re:The solution! (Score:4, Informative)
Re:The solution! (Score:3, Informative)
If you use a package manager, that is how installing programs on Linux is.
Re:The solution! (Score:3, Informative)
Re:The solution! (Score:3, Informative)
Re:The solution! (Score:5, Informative)
I personally like the package management system. I like having one place to look for software for my system, software that I know has been tested with the programs I likely have on my system, software that I know will update with the rest of my system, software I know isn't spyware. It sounds like it wouldn't work too well, but it really works rather well since there are so many programs in the repositories. Even for the programs that don't want/can't be in the repositories, there's ways for people to install those easily as well. There's java programs that install easily regardless of your Linux, there's autopackage, and some developers just put the program and all the files in a zip file that you can extract and then run where ever you want. There are solutions, they probably need better development, but they're not in terrible shape and that's not the most pressing issue for Linux. Much more important is getting the software people really want on Linux (or at least working really well and easy with wine) and making really good oss equivalents to proprietary software (we need something better than gimp to compare to photoshop) and we also need more device drivers, especially wireless. Those are much more important than package management.