Re: [arch-general] arch-general Digest, Vol 141, Issue 17
On 07/11/2016 01:00 AM, arch-general-request@archlinux.org wrote:
On 07/11/2016 01:09 AM, Information Technology Works wrote:
Aren't snaps, flatpak and appimage missing the boat in a concerning way? Shouldn't the Gnu+Linux ecosystem be focusing on automating the package building/maintenance instead? A layer above distros' package managers(pacman, apt, etc) that can build upstream from source without human intervention. Maybe upstream would have to cooperate in some way? Every distro would just have to write a plugin/config for themselves that described how their packages should be built, then their package manager can be used to install binaries like now. Distro devs could develop the system and verify it's integrity/security or do distro feature related work instead of packaging. This would address all the problems that these app container based systems are trying to solve while keeping dependency resolution, repos, etc. in tact. Is this impossible/wrong for some reason?
Hello,
Work is being done in this area [1], but it?s not as fancy as you may think. It?s mostly about upstream using a well-behaved build system. Well-behaved software is easy to package anyway (just do `./configure --prefix=/usr`, `make` and `make install`). When customization is necessary or desired, pacman brings the needed versatility.
Please note that ?build once, run anywhere? is not the only advantage of Flatpak and not one pacpak addresses. To me, containerization mostly provides added security by privilege revocation and separation of privileges.
Regards, Florian Pelz
[1] https://github.com/cgwalters/build-api Florian,
thanks for the reply and link. Well behaved build systems and/or the link you sent is what i alluded to with my "cooperation from upstream" comment. It seems to me, upstream and distros should get together and agree on a set of standards. then all distros could auto-build their repos. Unless "build once, run everywhere" can be done in a way that's superior to repos and packages (i don't see how, but what do i know), it seems like the wrong approach and would be completely unecessary with all distros having near instant packages from upstream due to automation. I'm not necessarily opposed to the theoretical, potential security benefits of app containerization but minus the dependency compat layer, especially if automation of building is not so out of reach. Your package sounds interesting and good luck with it, i just thought i'd bring up these questions before we throw the baby out with the bath water. thanks, ITwrx
On 07/11/2016 10:40 PM, ITwrx.org wrote:
Florian,
thanks for the reply and link. Well behaved build systems and/or the link you sent is what i alluded to with my "cooperation from upstream" comment. It seems to me, upstream and distros should get together and agree on a set of standards. then all distros could auto-build their repos. Unless "build once, run everywhere" can be done in a way that's superior to repos and packages (i don't see how, but what do i know), it seems like the wrong approach and would be completely unecessary with all distros having near instant packages from upstream due to automation. I'm not necessarily opposed to the theoretical, potential security benefits of app containerization but minus the dependency compat layer, especially if automation of building is not so out of reach. Your package sounds interesting and good luck with it, i just thought i'd bring up these questions before we throw the baby out with the bath water.
thanks, ITwrx
You seem to be right at being critical about pure upstream packages. Customizing packages and taking care of bug reports cannot be done fully automatically in this way, so that part of app containerization is perhaps not ideal anyway. This link has recently been posted on the GNOME gtk-devel list; I think it is relevant here: http://kmkeen.com/maintainers-matter/2016-06-16-11-31-07-560.html Either way, this is not what I want pacpak to be. Regards, Florian Pelz
participants (2)
-
ITwrx.org
-
pelzflorian (Florian Pelz)