Fedora developers on PackageKit [LWN.net]

Effort is beyond abilities of average ISV

Posted Jan 19, 2008 11:14 UTC (Sat) by khim (subscriber, #9252) [Link]

To make it all possible you need few distributions on few computers (KVM is your friend), someone who know all these distributions and writes correct instructions for package builders, etc. 99% if ISV are two guys with two computers and Visual Studio .NET (5 years ago it was Visual Basic 6). They DON'T have serious resources to pour on packaging problem. More: they don't even have TIME to learn how to do packages. In Microsoft world they are using wizards for the whole process - from start to finish: they only need to enter few names. While the resulting "installer" can be nightmare to support at least it exist. Linux does not even comes close: there are no easy way to create quick-and-dirty multy-platform package.

Effort is beyond abilities of average ISV

Posted Jan 19, 2008 14:44 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

And in Microsoft world you have huge pains eventually with third-party programs. You can't
simply "upgrade". Or you can use klik and such which is equivalent to the naive "Microsoft"
approach.

You have something equivalent for a "multi-platform-packages": LSB RPM packages. Those will
sortof work. But how do you resolve dependencies?

If a security issue comes up with libpng, will the vendors of all third-party  packages
provide you updates in a timely manner? (hint: not). With any linux distribution, you just
update the libpng package and don't need to download 200MB of updates for that.

Effort is beyond abilities of average ISV

Posted Jan 19, 2008 23:04 UTC (Sat) by cortana (subscriber, #24596) [Link]

I am terrifyied when using a Windows system, really. How many private copies of vulnerable
versions of libpng and zlib infest a typical machine?

Effort is beyond abilities of average ISV

Posted Jan 20, 2008 10:04 UTC (Sun) by NAR (subscriber, #1313) [Link]

I'm afraid, most people are not interested in security updates, especially if they can't install the damn thing in the first place. Currently the "Next->Next->Finish" type installer usually works better (for installing!) for casual users than installing some 3rd party linux package.

Anyway, how many application can be really vulnerable to a libpng bug? The browser, the mailer, some mediaplayer? Most of them do get security updates, unless the user turned it off.

Bye,NAR

Effort is beyond abilities of average ISV

Posted Jan 20, 2008 12:59 UTC (Sun) by tzafrir (subscriber, #11501) [Link]

Again, we have those in Linux (e.g: klik). And they are not popular, for a good reason.

next->next->next does not include the time it takes to:
* Locate the software
* Verify that it is not a trojan

The mere fact that you have to ask the user questions is a usability bug. In Debian it was
fixed long ago with debconf: a standard way to ask questions. With priority (so you can tell
the installed package to only ask important questions, or ask all questions) and you can
provide answers in advance.

Effort is beyond abilities of average ISV

Posted Jan 22, 2008 13:19 UTC (Tue) by petebull (guest, #7857) [Link]

And if they use a standalone installer, they have yet another application 
they have to look after to stay secure.

If they put up with the burden to add the repository, verify the 
repository signing key and install it with the distributions package 
management system, the updates will come in like any other security patch.

ISV packaging will lead to even more code duplication with libraries like 
libpng etc.

IIRC openSUSEs One Click Install provides a way to the casual user to add 
repositories and install software with one click.

Effort is beyond abilities of average ISV

Posted Jan 21, 2008 12:54 UTC (Mon) by robilad (guest, #27163) [Link]

Money can be used to purchase time from those that want to trade it for money.