On Sat, 2003-10-04 at 14:02, Nicolas Mailhot wrote:
Le sam 04/10/2003 à 19:58, Andy Hanton a écrit :
On Sat, 2003-10-04 at 13:20, Michael Schwendt wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 04 Oct 2003 11:51:34 -0400, Sean Middleditch wrote:
Given the autopackage project, RPMs and their (possible) problems may in the future just be relegated to low-level system stuff, which is another solution, but one not yet ready.
This one? http://autopackage.org/faq.html Doesn't look promising in the middle of the FAQ.
They aren't the only ones working on this stuff. The zero-install project (http://zero-install.sf.net/) seems to be trying for a more interesting solution. They actually link software to libraries using a caching http filesystem. For example, an application that needs gtk2 would link to /uri/0install/www.gtk.org/gtk2/libgtk-x11-2.0.so. So it doesn't need the funny hacks autopackage uses to detect what the user has installed. The user can double click the application and all the dependencies are downloaded automatically and doing so never breaks anything else on the system.
And how do you trust the result ? RPMs at least are signed.
I would assume that the daemon that runs the /uri filesystem would check signatures on downloads. I don't think it does yet but there is no reason that it couldn't. Some effort would be necessary to set up a web of trust so that the user didn't have to decide if the keys were valid.
I believe that the zero-install system actually downloads the contents of directories as tarballs, so the could just sign the tarball for each release. I don't really see how that is any worse than what rpm offers.
There is already a per user daemon in the system responsible for displaying download progress bars and stuff. If the signature checking failed it could present the user with a nice dialog saying that the software couldn't be run.