Re: App installer design: only source packages or reproducible builds

2013-05-16 Thread Jos van den Oever 
Hi all,

An aspect of the package format which has not been brought up yet is the 
reproducibility of the builds.

The availability of the source of a package implies that a user can create the 
binaries from the source. However in practice, it is rarely that case that 
running the build command that makes a binary package from a source package 
results in a package with the same binary.

This deficiency means that reciever of the software does not have the freedom 
to study how the program works, because it is very hard or nearly impossible to 
verify that provided binary was obtained by compiling the provided source code.

There are two solutions to this problem:
 1) only ship source code and let the user compile
 2) make sure that the process to turn the source code into a binary is as 
predictable as 1 + 1 = 2.

Is it a goal of the app installer and package format to let the recievers of 
the software enjoy the freedom to study the how the program works?

Best regards,
Jos

-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: App installer design: click packages

2013-05-09 Thread Jos van den Oever 
Hello Colin,

I read you ubuntu-devel mail about research into packaging. You asked for 
pointers, so I'm mailing you one.

Many of the points you are looking for in a package manager are covered by Nix.
Nix is a distro independent package manager that is very different from the 
standard package managers.

Instead of putting all applications in /usr, each version of each package is 
stored in a dedicated folder. It is possible to have many versions of packages 
and different users can use different versions.

Nix works on ubuntu and many other operating systems today. (Also, there is an 
OS that uses Nix as the main package manager, NixOS.)

Packages are built from Nix expressions, which is a simple functional language. 
A Nix expression describes everything that goes into a package build action (a 
“derivation”): other packages, sources, the build script, environment variables 
for the build script, etc. Nix tries very hard to ensure that Nix expressions 
are deterministic: building a Nix expression twice should yield the same result.

The Nix community on #nix is very active and helpful.

To avoid dependencies between apps, you can group nix expressions into one 
package.

Installing a package means unpacking and setting some symlinks. Switching 
between versions is just a matter of setting symlinks once both versions are 
unpacked.

Any user can install any package for themselves.

A huge amount of research including PhD thesis went into creating Nix.

https://nixos.org/nix/

Cheers,
Jos

-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel