I should probably ignore this like most of the other "distros. are the problem" comments I see (esp. given the ML), but...
On Wed, 2011-02-16 at 19:25 +0100, Matthias Klumpp wrote: > Interesting... So this is a social issue: You need to trust someone. But > if you trust Debian, which does great in spreading the idea of free > software, why won't you trust developer X, who is e.g. also a DD and > free-software enthusiast? I think the first problem "you" (meaning zero-install, autopackage, Klick, Lister, etc. etc.) have is that you have this very basic definition of "trust" around packaging. Yes, in general, I'm happy to "trust" a lot of upstream developers to write code and produce releases that _they think_ work. However, I would _not_ trust that a collection of those things would be a usable distribution. In fact I'd expect it to be _at best_ as good as rawhide, and I'd bet against it being that good. With distributions like RHEL, Debian, Ubuntu or Fedora. I'd trust (at varying levels) all of them to: 1. Produce a usable distro. release. 2. Produce a set of policies that all the applications abide by. 3. Produce timely security updates, marked as such, that are tested within their release. And, as much as possible, to not combine those with normal updates. 4. Produce timely updates that are tested, and within a certain threshold of change. 5. As a "group" watch the packages collectively, and thus. not allow a single developer/package/etc. to make certain decisions. 6. Provide connectivity in the 99.999% range. 7. Be transparent about what they are doing. 8. Random other stuff I haven't thought about right now. ...all based on their history over *mumble* number of years doing that. To repeat, I wouldn't trust random upstream developers to do #1 well and I'd heavily bet against them on 2-8. To put it another way: If developers could do those things well, and were willing to do so, they'd at the very least be maintainers in Fedora/Debian/etc. This is why 15+ years later "nobody" is using stow, autopackage, zero-install, etc. and Apple have recently got huge amounts of press for going from "run .dmg files from a random developers website" (the perfect developers dream) to "get approved apps. into our central packaging repo." (far more centralized than even apt). Which is also why I generally don't respond, why spend an hour or more writing an email when I can just wait 5-10 years? > By signing all 3rd-party app "packages", the system administrator also > could easily block all 3rd-party software, except something which is signed > with e.g. Debian's or Google's key. A random sysadmin. has the spare time to do that for a _small_ number of very important applications (I mean less than 10) ... maybe (and they still don't want to). And they can do that now, with existing tools that everybody is already using. _______________________________________________ Distributions mailing list Distributions@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/distributions
