LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Autopackage 1.0

Autopackage 1.0

Posted Apr 1, 2005 6:41 UTC (Fri) by khim (subscriber, #9252)
In reply to: Autopackage 1.0 by mcatkins
Parent article: Autopackage 1.0

If you'll think about it it's minor nitpick. I mean: sure enough .rpm or .deb is not executable. Yet both have pre- and post- install scripts. Isn't it the same thing ?

As far as our packages can contain random code we can not be sure that "net-downloaded random package" will keep system unbroken. So neither rpm nor deb and of course not ebuild are suitable for such approach. Not really. Yet Autopackage makes problem worse, not better! This is my grief. This is not a packaging system - this is installer like InstallShit^H^H^H^HAnywhere plus packaging system (and later part is poorly made, BTW).

(Log in to post comments)

Autopackage 1.0

Posted Apr 1, 2005 7:10 UTC (Fri) by mcatkins (guest, #4270) [Link]

Thinking about it some more, you are probably right. I was thinking
that at least the package integrity, etc was checked before getting
to that point. But you're right - this doesn't really give you much.

I would maintain, however, that we shouldn't be encouraging people
to get into the habit of download+run (without putting on thinking hat).

Download+feed_to_some_program at least leaves open the possibility
that some checks occur, or could be added in the future, and thus is
a better habit to encourage - IMHO.

There is no replacement for "trusting" (to some extent) the source
of your packages!

My other comments still stand....

Autopackage 1.0

Posted Apr 1, 2005 10:37 UTC (Fri) by ballombe (subscriber, #9523) [Link]

> If you'll think about it it's minor nitpick. I mean: sure enough .rpm or .deb is not executable. Yet both have pre- and post- install scripts. Isn't it the same thing ?

No it is not. With .deb and .rpm, you can inspect the pre- and post- install scripts before deciding to install the package. You can also decide to extract the data without running the scripts.

You cannot do that in a documented way with the current autopackage format.

Autopackage 1.0

Posted Apr 2, 2005 20:11 UTC (Sat) by khim (subscriber, #9252) [Link]

And why the hell no ? It's just a script! Exactly like pre- or post- install scripts in .deb/.rpm! Sure if you'll find .rpm with pre- or post- install script 100Kb in size you'll probably skip this package (it's scary: what this #&*!^@&*#@ thing will do with my system?), but... difference is in quantity, not in size.

Basically: .rpm/.deb can be disastrous beasts, .package is always disastrous beast. First choice is better then second one, though not by very much.

Autopackage 1.0

Posted Apr 7, 2005 13:08 UTC (Thu) by mikehearn (guest, #29106) [Link]

Sure you can. The -d switch is documented and stable, it won't disappear anytime soon. It means running code, but it's all "in the clear" and you can read it first if you think it may be dangerous.

The -d switch puts the package into "debug" mode: it extracts the payload and the metadata into the temporary working directory, then dumps you into a shell so you can explore or edit the internals. At that point, all the scripts are available for your perusal.

Autopackage 1.0

Posted Dec 27, 2005 17:54 UTC (Tue) by dontunderstand (guest, #34777) [Link]

He Guys you really disappoint me... why not use the concept of softricity but now for Linux... That is the real sandbox idea, and easy to update, safe ... , using streaming

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds