[rb-general] Regarding "Zero Install" manifests

Ximin Luo infinity0 at debian.org
Fri Apr 28 12:39:00 CEST 2017

Hi Anders, do you have a specific proposal to suggest for us here? The ideas all sound good but I'm not sure what the overall system you're suggesting should be.

At the moment we already *have* buildinfo files (i.e. signed manifests), and the next step is to figure out what sorts of logic we should add to say, `apt-get` so that users get a good sense of "how reproducible" the packages that they're installing are.

Anders Björklund:
> [..]
> The author is Thomas Leonard, and he wrote an essay some 10 years ago 
> now on what a packaging system like this can ultimately be used for:
> http://www.osnews.com/story/16956/Decentralised_Installation_Systems/

This article is quite long, are there specific points in it that you'd like to discuss?

> The picture above doesn't quite correspond to the model used by traditional Linux distributions, where users must pick a distribution and then only use software provided by that distribution. This model falls short of the ideals of Free software, because a user is only free to install programs approved by their distribution (of course, it may be possible for users to do this; here and in the rest of this essay I am concerned with things being easy and reliable).

I would say that this is slightly inaccurate. Even if "distributions" didn't exist as a middle-man, different pieces of software would have to co-operate to make sure they are co-installable without interfering with each other, and various other technical compatibility issues.

The easiest way to do this is to have a standards-body, which is what distributions *are*. I agree that the fact there are 4-5 different standards (deb, rpm etc etc) is not a great situation, ideally we would have one standards-body. The body itself can be politically decentralised and Debian is already like that, it's really not so hard to get stuff into Debian.

Yes, distributions as a whole, have some economic power as Thomas describes, but I don't see how the rest of what he's proposing really "solves" these issues. For example the later suggestion of naming things like "gimp.org-gimp-2.4.3" is still very much centralised according to the DNS system. The names are longer, and hence there's less chance for conflict, but then people will just move to getting shorter snappier domain names, then name their programs something generic like "main" so we'll end up with things like "gimp.org-main-1" which is not that much better than just "gimp".

> It is much better to checksum the binaries (than e.g. the tarballs),
> because then the _same_ files can be distributed in lots of ways...
> [..]

Distributing the same files in different arrangements, could in theory activate a backdoor in one arrangement but not the other. 0install has a hash for each whole-arrangement as well, so there is no security issue there. However, I'm just pointing out that the only benefit of "hashing each file" would be for potential deduplication, not security.


GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE

More information about the rb-general mailing list