[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New package managment



Erik wrote:
> 
> > BAD (but typical) STORY:

> almost sounds like an argument against using libraries :) hehehe

And that truly, honestly does happen. MANY people (myself
included) would rather write a whole bunch of new code
from scratch than drag in another library dependency.

My game relies on three libraries: PLIB (which is my own
and doesn't count), GLUT and Mesa.

About 80% of my support email comes from people who don't
have one or other of those installed properly or at the
correct location or some crap like that.

> I d'no if I like the sound of that :/ My computer taking off and downloading
> and installing stuff without me at the helm sounds frightening.

Well, yes - but John Q Public won't be so nervous about it.

After all, you are downloading a game from God-knows-who and
probably doing the "make install" as root.  You have already
given someone who is perhaps not trustworthy the ability to
do terrible things to you.

I guess the download process could stop and ask "Do you really
want to install Clanlib from http://<whatever>.html?"

> Especially
> considering these different packages would be gotten from
> differnet places, and the level of trust is unknown of
> these sites.

But you need to trust those sites anyway in the end.  How
do you evaluate a "trusted" site?  Because it has a cool
game on it?

> This'd need to be run as root,
> and if one of those many many sites were violated or something unexpected
> happen, this could prove detrimental to the machine.

Do you inspect the innards of all those Makefile's before you
run 'make install' as root?   It has exactly the same power
to turn to the dark side.

> Also, what happens if clanlib says "needs hermes > xx" but hermes gets another
> release that breaks some stuff? then this script fails horribly, and the user
> thinks linux just doesn't have its shit together cuz of it

Well, true.  But again, the manual process suffers those exact
same problems.
 
<sigh>  I understand your concerns - and share them to some
degree.  It's frightning the number of packages I have downloaded
from people I don't know from Adam, blindly installed them and
thought nothing of it.

All I know is that from the mail I get, something BADLY needs
to be done.

The process I describe would work because:

  * I trust the Pingus site (I have to because I'm going
    to run their code without checking it for Trojan horses
    under my own user ID - and possibly I'll run 'make install'
    as root.

  * Because the "pingus.autoweb" file is trusted, I have to
    accept that the authors of Pingus are not doing something
    nasty to me by recommending ClanLib as a trusted site.

  * By implication, I trust Clanlib because they are trusted
    by Pingus - whom I trust.

  * Hence by a chain of trusted people, we arrive at the final
    process.

Installing any kind of binary or even source package from the
web is an incredibly risky thing to do. I don't see that my
proposal really makes things that much worse.

--
Steve Baker                (817)619-2657 (Vox/Vox-Mail)
Raytheon Systems Inc.      (817)619-2466 (Fax)
Work: sjbaker@hti.com      http://www.hti.com
Home: sjbaker1@airmail.net http://web2.airmail.net/sjbaker1