Who maintains RPM?

Posted Aug 22, 2006 22:44 UTC (Tue) by dskoll (subscriber, #1630) [Link]

As a developer, I find RPM to be a shockingly evil piece of software. There is precious little up-to-date documentation for creating .spec files, and there are hundreds of hidden and undocumented hacks, macros and tweaks. I don't know anyone who has written a .spec file from scratch. Everyone I know starts with an existing .spec as and example and then modifies it.

We also make .debs of our software, and while building .debs is also pretty arcane, at least there's lots of documentation and it's mostly up-to-date.

Posted Aug 22, 2006 22:55 UTC (Tue) by smoogen (subscriber, #97) [Link]

Jon,

A very important correction to your article please.

> For the purposes of the people using distributions from Red Hat and SUSE,
> RPM is essentially unmaintained.

This is untrue for Red Hat (and probably SuSE.) For Red Hat, Paul Nasrat has been doing lots of work with RPM in the last year or so for Red Hat Enterprise and the porting/creation of patches to RPM in Fedora.

The reason for not upgrading in RPM for Red Hat Enterprise is pretty clear that the ABI/API for RHEL-3/4 {and SuSE 9) should be set in stone so that people can write RPMs and not have to redo syntax, logic in triggers and such.

The reason that it hasnt been upgraded in Fedora seems to have been that some of the changes in syntax, options in the 4.4.5 RPM has things that yum, mock, and apt would choke on for things like "alternatives" and other items. [I do not state this as fact however... but on hearsay from the yum original author.]

Posted Aug 23, 2006 0:51 UTC (Wed) by dowdle (subscriber, #659) [Link]

Jon,

Thanks for the article. While the problem was public and there for all to see, by bringing it out as a feature article of LWN, chances that the situation will change for the better have increased.

It wouldn't be a bad idea to mention that rpm works well for most everyone most of the time... and that in the corner cases where something does go wrong, there is usually a lot of info to be found on how to fix the problem and/or avoid it in the future. Those admissions aren't an attempt to avoid resolving the situation.

I credit Red Hat for acknowledging the problem with a named individual... rather than the typical corporate anonymous insider comment.

Now we see the problem. We know the solution... we just have to make it happen.

I would like to comment in defense of Jeff Johnson. I think he was unnecessarily vilified... not really here but in various posts linked to in this article. Now, that doesn't mean I agreed with all of his comments, reasoning, or tactics... but what he didn't say was obvious... that with regards to that bug... he really didn't want to fix the issue and didn't want to admit it. If he wasn't being paid to fix it, and it worked well enough for him, and he was happy with it, he isn't a horrible person for not fixing the problem. It was just another opportunity for someone else to say that's not good enough for me, I'll fix it. It is sad that so much effort was put into nagging at him rather than someone just fixing it and submitting a patch. Sure, he egged people on by pretending there wasn't a problem... the but the axiom of "show me the code" always applies. Of course, that is easy for me to say since I'm not a programmer. :)

I would also like clarify that perhaps there should be some sort of group formed by the various distros that use rpm (not just Red Hat and/or Fedora) to maintain it. I would imagine that all of the various companies using rpm have someone assigned to work on rpm when needed... so having all of those people, across distros, work together seems like a no-brainer. Nothing too elaborate... just a commitment to work together, find problems... and hey... maybe even set a direction for the future... unless everyone just wants to adopt that new management system that was created by all of the former Red Hat folks. What was the name of that one again? I read up on it a while ago and it had so much lingo and so many layers and features, it was really above my head. How about an article about that one?? I ask the question rather than googling it, to give others an opportunity to add to this discussion.

Yes, Red Hat created RPM and it has worked well for a long time... but Red Hat set it free some time ago... and I think it should stay that way if at all possible... as long as it finds the way to continuing to work well for years to come... or a path to something better is forged for those using it.

This is just more evidence that Red Hat is suffering from PR shell shock... and they don't want to accidentally piss off the Slashdot hordes again by grabbing control back of something that they really wanted to free... like what happened with Fedora. Yeah, some people just can't grasp reality... and I think most of those folks go into politics.

Now off the beaten path... IMNSHO, Red Hat needs to merge Cluster Server, GFS, Directory Server, and Certificate Server... into RHEL AS/ES... and then reduce the price of RHEL... to somewhere around the cost of Mac OS X Server Unlimited... and/or SUSE Linux Enterprise Server. Really they do. Then I'd use RHEL everywhere... and CentOS wouldn't even cross my mind in some situations. Yes, all of their top 100 customers have deep, deep pockets and can afford their fairly close to reasonable existing price structure... but just think how many people would buy it if it was more affordable? Volume could make up for reduced margins. Really it could.

Posted Aug 23, 2006 1:10 UTC (Wed) by drag (subscriber, #31333) [Link]

Sounds like a job for Freedesktop.org to me.

It's in the LSB so all distros have to support it, right?

I know it's not a 'desktop' issue for distros that use RPM for their native package format.. But it's a 'desktop' issue for Distros that don't use pm natively.

This is one of the major issues of Linux on the desktop right now, right? A universal package format for resolving dependancies and such?

So maybe setup a situation like with X.org and Freedesktop.org, but instead revive RPM.org and tied that into Freedesktop.org. Call it 'rpm-ng' or maybe 'upm' for 'universal package management system'.. Or something like that.

Keeping in mind the entire time that RPM has to be supported for LSB compatability and generally distros seem to value that.

So for tying into distros that only support rpms in a teriary way you could create a set of generic management utilties and libraries for handling RPM and then have some hooks were distros can utilize their own package mangement systems to resolv dependancies.

They could use a semi-intellegent method like:
Person double clicks on rpm file for very-important-program.
Dependancies are analized and semi-intellegent list of possible and recommended packages from the native distro system are displayed were a user could click on to change if they felt like it, or choose a dependancy themselves if the system fails to find a match.

So you kinda meat the distros half-way. You take care of the RPM side, provide some nice hooks, and the distros takes that and customizes it to fit into their own system.

Maybe if they do a realy good job maybe there could be a way to standardize package management system like we standardize around a GUI display system or whatnot.

I donno. Base the requirements for rpm-ng on best-of-breed examples of systems in use today..
For instance apt-get is the most usefull and mature system I've used. With the 'wajig' python-based command line front end it sort of combines all the functions into a single overal system.
What I am able to do with wajig is:
~$ wajig list-commands
All JIG commands:

addcdrom Add a CD-ROM to the list of available sources of packages
auto-alts Mark the alternative to be auto set (using set priorities)
auto-clean Remove superseded deb files from the download cache
auto-download Do an update followed by a download of all updated packages
auto-install Perform an install without asking questions (non-interactive)
available List versions of packages available for installation
bug Check reported bugs in package using the Debian Bug Tracker
build Retrieve/unpack sources and build .deb for the named packages
build-depend Retrieve packages required to build listed packages
changelog Retrieve latest changelog for the package
clean Remove all deb files from the download cache
commands List all the JIG commands and one line descriptions for each
daily-upgrade Perform an update then a dist-upgrade
dependents List of packages which depend/recommend/suggest the package
describe One line description of packages (-v and -vv for more detail)
describe-new One line description of new packages
detail Provide a detailed description of package (describe -vv)
detail-new Provide a detailed description of new packages (describe -vv)
dist-upgrade Upgrade to new distribution (installed and new rqd packages)
docs Equivalent to help with -verbose=2
download Download package files ready for an install
file-download Download packages listed in file ready for an install
file-install Install packages listed in a file
file-remove Remove packages listed in a file
find-file Search for a file within installed packages
find-pkg Search for an unofficial Debian package at apt-get.org
fix-configure Perform dpkg --configure -a (to fix interrupted configure)
fix-install Perform apt-get -f install (to fix broken dependencies)
fix-missing Perform apt-get --fix-missing upgrade
force Install packages and ignore file overwrites and depends
help Print documentation (detail depends on --verbose)
hold Place listed packages on hold so they are not upgraded
init Initialise or reset the JIG archive files
install Install (or upgrade) one or more packages or .deb files
installr Install package and associated recommended packages
installrs Install package and recommended and suggested packages
installs Install package and associated suggested packages
install/dist Install packages from specified distribution
integrity Check the integrity of installed packages (through checksums)
large List size of all large (>10MB) installed packages
last-update Identify when an update was last performed
list List the status and description of installed packages
list-all List a one line description of given or all packages
list-alts List the objects that can have alternatives configured
list-cache List the contents of the download cache
list-commands List all the JIG commands and one line descriptions for each
list-daemons List the daemons that JIG can start/stop/restart
list-files List the files that are supplied by the named package
list-hold List those packages on hold
list-installed List packages (with optional argument substring) installed
list-log List the contents of the install/remove log file (filtered)
list-names List all known packages or those containing supplied string
list-orphans List libraries not required by any installed package
list-scripts List the control scripts of the package of deb file
list-section List packages that belong to a specific section
list-section List the sections that are available
list-status Same as list but only prints first two columns, not truncated
list-wide Same as list but avoids truncating package names
local-dist-upgrade Dist-upgrade using packages already downloaded
local-upgrade Upgrade using packages already downloaded, but not any others
madison Runs the madison command of apt-cache.
move Move packages in the download cache to a local Debian mirror
new List packages that became available since last update
news Obtain the latest news about the package
new-upgrades List packages newly available for upgrading
non-free List installed packages that do not meet the DFSG
orphans List libraries not required by any installed package
package Generate a .deb file for an installed package
policy From preferences file show priorities/policy (available)
purge Remove one or more packages and configuration files
purge-depend Purge package and those it depend on and not required by others
purge-orphans Purge orphaned libraries (not required by installed packages)
readme Display the package's README file from /usr/share/doc
recursive Download package and any packages it depends on
recommended Install package and associated recommended packages
reconfigure Reconfigure the named installed packages or run gkdebconf
reinstall Reinstall each of the named packages
reload Reload daemon configs, e.g., gdm, apache (see list-daemons)
remove Remove one or more packages (see also purge)
remove-depend Remove package and its dependees not required by others
remove-orphans Remove orphaned libraries (not required by installed packages)
repackage Generate a .deb file for an installed package
reset Initialise or reset the JIG archive files
restart Stop then start a daemon, e.g., gdm, apache (see list-daemons)
rpm2deb Convert a RedHat .rpm file to a Debian .deb file
rpminstall Install a RedHat .rpm package
rpmtodeb Convert a RedHat .rpm file to a Debian .deb file
search Search for packages containing listed words
search-apt Find local Debian archives suitable for sources.list
setup Configure the sources.list file which locates Debian archives
show Provide a detailed description of package [same as detail]
showdistupgrade Trace the steps that a dist-upgrade would perform
showinstall Trace the steps that an install would perform
showremove Trace the steps that a remove would perform
showupgrade Trace the steps that an upgrade would perform
size Print out the size (in K) of all, or listed, installed packages
sizes Print out the size (in K) of all, or listed, installed packages
snapshot Generates list of package=version for all installed packages
source Retrieve and unpack sources for the named packages
start Start a daemon, e.g., gdm, apache (see list-daemons)
status Show the version and available version of packages
status-match Show the version and available version of matching packages
status-search Show the version and available version of matching packages
stop Stop a daemon, e.g., gdm, apache (see list-daemons)
suggested Install package and associated suggested packages
tasksel Run the Gnome task selector to install groups of packages
toupgrade List packages with newer versions available for upgrading
unhold Remove listed packages from hold so they are again upgraded
unofficial Search for an unofficial Debian package at apt-get.org
update Update the list of down-loadable packages
update-alts Update default alternative for things like x-window-manager
update-pci-ids Updates the local list of PCI ids from the internet master list
update-usb-ids Updates the local list of USB ids from the internet master list
upgrade Upgrade all of the installed packages or just those listed
versions List version and distribution of (all) packages.
whatis A synonym for describe
whichpkg Find the package that supplies the given command or file

Command line options:

-h|--help Print usage message.
-q|--quiet Do system commands everything quietly.
-n|--noauth Allow packages from unathenticated archives.
-s|--simulate Trace but don't execute the sequence of underlying commands.
-t|--teaching Trace the sequence of commands performed.
-v|--verbose=n Increase (or set) the level of verbosity (to n).
-y|--yes Assume yes for any questions asked.

Fuller documentation can be found at http://www.togaware.com/wajig.

So that thing is very usefull. It makes it trivially easy to do things like recompile programs from Debian Unstable to use on Debian stable. Very easy. Don't have to do pinning or anything like that. Try it out some time.

Then there is things like check-install were you can pretty much generate your own packages on the fly.

Then there is 'smart', which does pretty intellegent way of managing dependancies...
Although I would REEAALY prefer a human editable way to configure it. Binary only configuration files suck.

It just seems to me that packages as they are now have a lot of obvious flaws and f-ups and such. They were designed before their was realy effective package management. Maybe it's time to take years and years of experiance and make something that is simple yet effective.

Posted Aug 23, 2006 3:43 UTC (Wed) by skvidal (subscriber, #3094) [Link]

A little light to add to things:

The thread about Jeff on the Fab list is partly about behavior on bugzilla and partly about issues interacting with him from various rpm maintainers in various distros.

Cruise through bug reports and the rpm-devel mailing list archives. There are a number of not-so-fun interactions about different patches.

This last week Jeff announced that he would be changing the license of rpm from gpl to lgpl:
https://lists.dulug.duke.edu/pipermail/rpm-devel/2006-Aug...

That seemed a bit odd to some of us.

The fedora project board has been discussing what to do about rpm in general over the last month. At the last meeting I was tasked to talk to the other stakeholders in rpm (the distros using it, other interested parties) and find out what other people thought. The goal was to form a consortium of people who want to help maintain and further development of rpm.

I talked to people at novell/suse, mandriva, openpkg and some other not-quite-distro but not-quite-unrelated parties.

The sentiments were similar:
we're not sure what's going on. we're watching everyone else to see what they do.

What I don't want to see happen with rpm is that it breaks down and fragments. I'd like to see everyone using roughly the same tree with a stable release cycle and development roadmap. This means getting all the people involved in a place where they're willing to talk and figure out what we ALL want to achieve.

We cannot do that with the current development "process" in place.

So that's what I know and what I've been doing to try and make this a bit more reasonable for everyone.

rpm is a crucial piece of infrastructure and I think it deserves a development process at least as robust and rigorous as gnome's.

thanks,
-sv

Posted Aug 23, 2006 7:40 UTC (Wed) by joey (subscriber, #328) [Link]

rpm is not the only peice of software that is a major component of many linux distributions but has no agreed-upon upstream maintainer, and thus effectively one fork per distro. Another such peice of software is cron.

Vixie cron was last released in '93. In many distributions it's still used, but in eg, Debian, the package is the result of 13 years of patches on top of that release. The debian version number is 3.0pl1-96. That's ninty-six versions based on 3.0pl1. The Red Hat sub-version is in the fourtys. There's no standard version anymore, just this pile of patches, and other piles of patches in other distributions. If we're lucky, they at least share the same security fixes.

Another example is makedev, which was had its last upstream release in '98 and is at patchlevel 82 in Debian. Or netcat, last released in '96, patchlevel 32 in Debian, and a fork/rewrite at netcat.sourceforge.net. Or xgalaga, whose upstream author has fallen off the net and last released it in '98. The Debian package, which I maintain, is at patchlevel 37, and seeme to be the only place a lot of people can find to send patches to. But I don't want to be its upstream maintainer.

This is the kind of thing that makes me gibber in horror when people at Ubuntu talk about Debian and other distros being part of an "ecosystem of software". I don't want to be part of an ecosystem; I'd rather be part of something that works not something that muddles through via massive trial-and-error and redundancy. Biomass is another word for "shit".

But I digress..

The most productive thing I've seen done to try to address this general problem is the Unmaintained Free Software wiki, which tries to track this software and find new maintainers. That has managed to match up some software with interested people (though it failed with xgalaga), but I think it actually works less well for big and important software that ends up forked and maintained separately by the major linux distributions.

I, myself, am beginning to use the degree of divergence from upstream as an indicator of how well a distribution maintains a given peice of software, with more divergence == bad. A distro that's doing a good job will a) get their patches integrated upstream and b) should work with other distros to find a new developer if upstream goes missing or insane.This is the inverse of what people might naively consider a good metric of how much work a distro is doing, but I think it leads to better software in the long run.

PS: My limited interaction with Jeff when I used to maintain rpm for Debian was fairly problem-free.
PPS: I've written hundreds of spec files compeltly by hand, a dozen years ago. :-)

Posted Aug 23, 2006 15:22 UTC (Wed) by stock (guest, #5849) [Link]

i would say that mandrake/mandriva did a tremendous job of their own.
Their (S)RPM system never gave me problems with them. everything works
like expected and reported. Here's the Mandriva wiki's on RPM :

Mandriva RPM HOWTO
http://qa.mandriva.com/twiki/bin/view/Main/RpmHowTo

URPMI resources page
http://qa.mandriva.com/twiki/bin/view/Main/UrpmiResources

Posted Aug 23, 2006 17:11 UTC (Wed) by emkey (guest, #144) [Link]

RedHat has been making some much needed improvements in the RHEL 4 version of rpm at least. A couple of years back Mr. Johnson apparently decided it was a good idea to remove all DB file locking from RPM rather then fix the limited locking that existed at the time. This was needless to say a rather bad idea and led to lots of accidental corruption. RedHat has fixed this issue. They've also been very responsive to other suggestions for fixes and changes. For instance until recently there was no equivalent for --ignoresize when trying to remove rpm's. Why did this matter? Because until recently rpm insisted on stat'ing every single mounted filesystem any time it did an add or remove. It is not out of the ordinary to have one or more remote filesystems in a less then happy state if you're environment is large and complex. Having your rpm remove hang for long periods of time was very frustrating.

In summary, RedHat has been doing a much better job recently on the RPM front. Now they need to formalize things and take back control. Based on past experience I wouldn't touch anything Mr. Johnson worked on with a fifty foot pole.

Posted Aug 24, 2006 1:33 UTC (Thu) by dankamongmen (subscriber, #35141) [Link]

Thanks very much for an interesting and informative story on a topic I, as a Debian elitist, would otherwise have likely missed in toto. It's articles like this that keep me subscribing.

Posted Aug 24, 2006 7:50 UTC (Thu) by lamikr (guest, #2289) [Link]

Is there something technicallly advantageous in deb packages compared to rpm packages or other way around?

Like does either of these systems have superiour dependency handling tools for the package developers, or better syntax for handling those dependencies.

Or are these tools just offering about the same level of functionality while being incompatible with each others and requiring that the app packagers need to handle both of the syntaxes. In that case maybe it would go a good idea from fedora to jump also to jump to use debian packages by default. At least for the end users that could be a win in the long run.

Posted Aug 24, 2006 20:29 UTC (Thu) by sarnold (guest, #39590) [Link]

I've known Jeff for years; while I've had my fair share of arguments with RPM (and I've lost many :), I have always enjoyed discussing my problems with Jeff. He doesn't always like my proposed solutions to problems, but he has always been willing to talk about what problem I'm trying to solve so that he can help find a solution that works better for more people.

Mistakes were made in RPM's development, but blaming every deficiency of RPM on Jeff is also a mistake.