OLS: An introduction to Conary
Package management systems have come into use in almost every distribution out there. They are a clear step up from what came before, but, as Eric pointed out, significant problems have been building for years. These include:
- Repositories are an afterthought. A typical repository is a simple
collection of files in whatever package format is being used, perhaps
with a bit of metadata.
- The version scheme used by most package managers follows a straight
line model; there is no provision for branches. That makes it hard,
for example, to determine which version of a package is appropriate
for a specific release of a given distribution.
- Packages contain scripts which handle parts of the installation and removal process which go beyond the simple management of files. These scripts tend to contain a lot of boilerplate, and are replicated in every package file. Bugs, too, are replicated, and there is no one place to go to fix them. The scripts are also not portable across distributions (even those using the same package format) and cannot be customized for an individual site's needs.
Conary was developed as a way of addressing the above limitations and to make it possible for users to create their own, customized distributions in an easy manner. In the simplest sense, one can think of Conary as a package management system with a more consistent view of objects from the repository level down to individual files, combined with a version management scheme.
Conary treats files as "first class objects," which are managed by the framework as a whole. Files have a unique ID and a version history; they also have a set of attributes. One of those attributes is the file's location in the filesystem; moving a file is a simple matter of changing that attribute.
A "trove" is a container holding one or more files and other troves. Files are contained by reference. A "component" is a collection of files, by reference. Example components listed by Eric for the bzip2 package might be bzip2:runtime (binary files to run the program), bzip2:lib, bzip2:doc, and, of course, bzip2:source. Components can be aggregated together into packages. Both components and packages are considered to be "troves," for what it's worth.
Version strings are hung onto everything; Specifix has added some complexity to the versioning system, though. Each version string includes the repository name, a namespace (think of it as a distribution name), a branch name (for the creation of trees in the version space), the upstream package version, and a two-part local revision number. Needless to say, the version strings get long, but the system hides the full string most of the time. Creating versions in this way allows the system to easily determine which version of a package is the newest, which version of which distribution is built for, and so on.
Branching is done by adding a branch name to the version string. Branching allows the tracking of versions of packages which were shipped with a specific distribution, along with updates to those packages. There is also a special type of branch called a "shadow" which tracks changes to the trunk it was branched from. Essentially, the shadow is automatically merged with each new version of the trunk it is following. This feature would be useful for somebody maintaining a derivative distribution; they want to keep up with what the source distribution is doing without losing track of their own changes. The only problem with shadows is that, like a number of other Conary features, they are not actually implemented yet.
"Flavors" are another Conary feature; they seem to be patterned after Gentoo's "USE flags." A flavor is a set of configuration options describing how all packages are to be built. This feature is used for multiple architecture support, or for building versions of distributions with different feature sets (e.g. creating a distribution without PAM support). Multiple flavors of a package can be installed on a system if they don't conflict with each other; this allows, for example, the installation of 32-bit libraries on x86-64 systems.
Then, there is the concept of "changesets." A changeset is a collection of modifications to files (including attribute changes) and the troves which contain them. A changeset is, essentially, a patch to a package or a distribution. Changesets, which track only changes, can be much smaller than the packages they describe, and can thus be an efficient way of distributing updates. Changesets describe changes to configuration files in diff format, which often allows them to be merged automatically with local changes. A system administrator can also create a changeset describing his or her local changes to the system; that changeset can then be used for merging with updates, or replicating the system elsewhere. Local changesets can also be used for version control and the tracking of system changes.
"Tags" are Conary's answer to the package script problem (and, also, to the complex set of interactions represented by the RPM "trigger" mechanism). A tag is a file attribute describing the type of the file, be it "shared library," "info file," or any of a long list of alternatives. Most files can be tagged automatically by Conary. Tags have scripts associated with them; there is, for example, a script which handles the installation of an info file and updating the relevant directory. These scripts are distributed separately; there is only one copy of them on the system. The scripts are thus easily fixed when bugs turn up, and they can be customized by the local administrator if need be. Separating out the management scripts in this way should also make it easier to install packages from other distributions.
A "fileset" is an arbitrary collection of files built from components in the repository. Filesets seem to be intended to help in the creation of small system images for embedded systems; they allow an easy picking and choosing of an exact set of desired files. "Groups" are, instead, the analog of the Debian "task" or Anaconda "component." They allow the management of several packages as a unit, but they come with their own local changesets so that local changes to the group are tracked properly.
The paper from the OLS proceedings (PDF format) is worthwhile reading for anybody wanting more details on how Conary works.
Interested parties can download an early Conary release from the Specifix web site.
Be warned, however, that a few features are still missing; they include
shadows, dependencies (an important issue that they "think" they know how
to implement), flavors, package signatures, and more. "Release early" is an
important part of the free software development process, however, and the
Specifix founders understand that process well. Conary's vaporware
features will, beyond doubt, be filled in soon. As that happens, expect
interest in this tool to increase; it truly does have the potential to
change the way we set up and manage our projects, distributions, and
systems.
| Index entries for this article | |
|---|---|
| Conference | Linux Symposium/2004 |
Posted Jul 28, 2004 17:13 UTC (Wed)
by ccyoung (guest, #16340)
[Link] (1 responses)
In the exhausting list of attributes, why not "Intelligent Questions", letting a trove instantiate as many question/answer sets as it chooses, perhaps mapping to flavors or whatever - but something that allows others' expertise to effectively filter to MM's like myself. Nobody has time to be good at everything.
Posted Jul 29, 2004 2:16 UTC (Thu)
by hazelsct (guest, #3659)
[Link]
Posted Jul 28, 2004 18:09 UTC (Wed)
by rknop (guest, #66)
[Link] (11 responses)
Any talk about the licence this thing will be released under? Obviously, if it's not an open source licence, it's not going to be adopted by many distributions no matter how technically nice it is. It's a lot easier to convince just Linus than it is to convince (say) the Debian voters to use a proprietary pacakge.... -Rob
Posted Jul 28, 2004 18:26 UTC (Wed)
by corbet (editor, #1)
[Link]
And yes, Conary is free software, no worries there.
Posted Jul 28, 2004 18:48 UTC (Wed)
by mattdm (subscriber, #18)
[Link] (8 responses)
Posted Jul 29, 2004 8:04 UTC (Thu)
by angdraug (subscriber, #7487)
[Link] (7 responses)
CPL is yet another GPL-incompatible license. When will you people understand? There are only 3 free software licenses to choose from: X/MIT, GPL, and LGPL. Anything else is harmful to the free software movement: any marginal gains are completely overshadowed by license incompatibilities, user confusion, and legal risks.
Posted Jul 29, 2004 8:35 UTC (Thu)
by ekj (guest, #1524)
[Link] (3 responses)
I agree with you that being "different" in itself is a huge minus for a license, even when the terms by themselves are acceptable, there's always the issues of user confusion and incompatibilities between different licenses.
Posted Jul 29, 2004 10:32 UTC (Thu)
by angdraug (subscriber, #7487)
[Link] (2 responses)
Please, check the link to the licensing discussion. I've put it in my post for a reason. BTW, I forgot to add fragmentation (as opposed to diversity) to the list of harms license incompatibility brings.
Posted Jul 30, 2004 21:28 UTC (Fri)
by giraffedata (guest, #1954)
[Link] (1 responses)
It would be good if that reason were evident from the post itself. In this case, you just hyperlinked the wrong text. The text X/MIT, GPL, and LGPL does not say "licensing discussion." It suggests a link or links to descriptions of three licenses.
In this case, the text There are only 3 free software licenses would have been better text to hyperlink, and "as discussed here" would be even better.
I don't know about you, but I virtually never click on every hyperlink in a document. I have to have some clue it's something I want to read.
Posted Aug 3, 2004 14:56 UTC (Tue)
by angdraug (subscriber, #7487)
[Link]
You're right, my links could have been more obvious. When I'm interested in the subject, I usually dig deep enough to understand the point. When I'm not interested, I don't bother to read comments at all.
Posted Jul 29, 2004 13:16 UTC (Thu)
by mattdm (subscriber, #18)
[Link] (2 responses)
When will you people understand? [emphasis added] Who are the "you people" you are talking about? It's an OSI-approved license, for goodness sakes. I would really appreciate it if people would keep these ideological discussions off of the LWN comments. It's good that these discussions exist, but this isn't a useful place for them. Write a guest editorial if you want, but otherwise, post to slashdot or kuro5hin or somewhere. (Or perhaps better in this case, contact the OSI/Debian and try to convince them.) Let's keep the comments here to points of fact. (Is that an official rule? No. It'd just be nice.)
Posted Jul 29, 2004 16:12 UTC (Thu)
by angdraug (subscriber, #7487)
[Link] (1 responses)
You in particular, and other people who shrug off license incompatibility as a non-issue. OSI isn't God, they aren't even omniscient. Even worse, it is their practice of blindly approving problematic licenses that created this problem in the first place. It all started when they let Netscape get away with MPL instead of convincing them to use GPL. Isn't it ironic that Mozilla project was eventually dual-licensed under GPL anyway? It is not merely ideological as long as it has far-reaching practical consequences. I apologize for inflammatory tone of my comment, but I still think that usefulness of a license chosen by a new free software project is relevant to the discussion of this project.
Posted Aug 6, 2004 12:52 UTC (Fri)
by dash2 (guest, #11869)
[Link]
Posted Aug 9, 2004 5:33 UTC (Mon)
by mbp (subscriber, #2737)
[Link]
Nobody knows what will happen in the future: maybe it will stay free; maybe it will go proprietary; maybe they'll drop it altogether. Their intentions sounds good, and if the worst happens then the licence permits forking.
Remember bitkeeper started out with a free-ish licence originally, and then they changed.
Posted Jul 28, 2004 19:07 UTC (Wed)
by halla (subscriber, #14185)
[Link] (1 responses)
Posted Jul 28, 2004 22:10 UTC (Wed)
by jre (guest, #2807)
[Link]
Posted Jul 29, 2004 3:20 UTC (Thu)
by ncm (guest, #165)
[Link]
Posted Jul 29, 2004 8:28 UTC (Thu)
by angdraug (subscriber, #7487)
[Link] (5 responses)
Debian pools are definitely not an afterthought. It is elegant, effective, and extensible solution. What's wrong with it? I don't see any advantage in cramping all the versioning, branching, and tagging information into a package version, as opposed to managing this separately. I like Monotone's idea of using SHA1 for a version: if the file is the same, its version should be the same no matter in how many branches it is available. At a certain level of complexity, some things are better done as scripts, as opposed to declarative programming. Either you try to provide a better scripting environment to solve these tasks, or you go the route of XSLT.
Posted Jul 29, 2004 12:48 UTC (Thu)
by angdraug (subscriber, #7487)
[Link]
Posted Jul 29, 2004 15:54 UTC (Thu)
by vmole (guest, #111)
[Link] (3 responses)
Debian pools are definitely not an afterthought.
Debian pools are absolutely an afterthought. The fact that they
are a really good solution to the problem doesn't change that. We lived
for years with seperate trees for each release.
The entire Conary article reads like someone is trying to solve the random RPM problem, where "repositories" are simply piles-of-files, and has
never seen the Debian solution. I know that's not true, so my guess
is it's a way of making Specifix look like they've solved more problems
than they have. This is unfortunate, because based on the article, they
are solving problems that the Debian system doesn't.
I do agree with the previous that leaving the dependency problem for "later" is likely to be a really bad idea. But the RPM developers have never given the problem the respect it deserves, much to the pain of their users.
Posted Jul 30, 2004 1:15 UTC (Fri)
by AnswerGuy (guest, #1256)
[Link] (2 responses)
Triggers don't seem to be widely used (packager ignorance?) but they seem like a neat idea. With some carefully designed standards among packages (Consider: you install a mail user agent (MUA) which registers a trigger on the virtual package MTA. When any MTA is installed, the trigger runs a script which invokes the MTA's own MUA registration script. Now all MUAs can have some setting adjusted when an MTA is replaced. All of the MUAs "know" whether the system is using mbox, maildir, or MMDF system mailboxes --- for example). (Sorry if the example is silly --- better examples might relate to registration of menu items and icons in window managers or something). JimD
Posted Jul 30, 2004 13:08 UTC (Fri)
by frodonl (guest, #16826)
[Link]
While I don't know about any triggers functionality in the Debian packaging system - I never needed them, so I never really searched for it, Debian does define a standard way to create menu items, called the Debian Menu System. It works by postinstall and postrm scripts calling one central command (update-menus) that will call the menu-update scripts for the various packages that use "menu managers". Grtz, Frodo
Posted Aug 3, 2004 16:43 UTC (Tue)
by angdraug (subscriber, #7487)
[Link]
Posted Jul 30, 2004 18:35 UTC (Fri)
by X-Nc (guest, #1661)
[Link]
Ports is great with the exception of one thing; it's source based only. Linux distros like Gentoo,
Lunar Linux and the Sourcerer based ones bring the Ports idea to Linux but still are based on
source code only.
The other side of the coin is the RPM/DEB packages with apt and yum manageing them. They
work nicely but don't provide for multiple versioning of packages and easy integration of
custome packages built outside of the apt/yum repositories.
Conary has some definite potential. I'd like to see what it looks like when it's finished. It could
be the next big step for Linux and open source in general.
Being a Mere Mortal myself, I would like to see a little bit of expertise built in from the beginning, instead of patched on top later.Expertise Needed
It's not quite clear what you mean here. Do you mean something like debconf questions (which I like to think of as "wizards done right") which the installer asks of the admin during package installation or reconfiguration? Yes, it would be nice if such things could be designed into the package system from the beginning. If this isn't what you mean, please clarify.
Intelligent Questions?
No talk about the business model?Is it gonna be a bitkeeper?
The business model has to do with professional services and maintenance of custom distributions and repositories. I think.
Is it gonna be a bitkeeper?
It's released under the OSI-approved IBM CPL, which is basically GPL-like with some additional patent-related stuff.
no; it's free software.
no; it's free software.
I think you're forgetting some of the variants of BSD-licensing, some of which is GPL compatible, (in the sense that you can take code under that license, and legally incorporate it as part of a GPL project) it's hard to see how exactly that is harming free software.no; it's free software.
no; it's free software.
Please, check the link to the licensing discussion. I've put it in my post for a reason.
on overlooked links
on overlooked links
I don't know about you, but I virtually never click on every hyperlink in a document. I have to have some clue it's something I want to read.
no; it's free software.
no; it's free software.
Who are the "you people" you are talking about?
It's an OSI-approved license, for goodness sakes.
I would really appreciate it if people would keep these ideological discussions off of the LWN comments.
Gordon Bennett. Even the Gnu people themselves encourage Perl developers use the Perl license rather than the pure GPL.no; it's free software.
At the moment they say they plan to keep the Conary software free and to make money using it rather than from it.Is it gonna be a bitkeeper?
Am I the only one who only noticed that it is _conary_ not _coronary_ near OLS: An introduction to Conary
the end of the article? It's as bad as kroupware...
I looked through the Specifix site and technical presentation, and found no explanation of why they chose this name.
OLS: An introduction to Conary
It is an
Irish place and family name,
so it may have sentimental appeal to someone at Specifix.
Or maybe we are now consing sylbles, as in "Conary arty blage."
It looked like it might be interesting until that last paragraph. Saving design of dependency processing for last is not a good way to end up with an advance over dpkg.
Had me going there
Strawman problems or poorly done homework?
Repositories are an afterthought.
The version scheme used by most package managers follows a straight line model; there is no provision for branches.
Packages contain scripts which handle parts of the installation and removal process which go beyond the simple management of files.
I also noticed that the whitepaper carefully walks around ever mentioning APT. I can understand people who don't know anything about Debian package pools, but no mention of APT?
Strawman problems or poorly done homework?
Strawman problems or poorly done homework?
One think I'm curious about. Is there support in the Debian packaging system for triggers (like RPM has)?Triggers in dpkg/APT?
they could make your package management system almost "object-oriented."Triggers in dpkg/APT?
Assessment of triggers is the one thing in the Conary whitepaper that I tend to agree with. Triggers require that too many packages know too much about each other: this creates more complexity and points of breakage than it's worth. Think of it as dependency hell on drugs.Triggers in dpkg/APT?
After a general once-over, and some poking around, I think the idea of Conary looks good. I've
always been of the idea that there might be a way to bring the RPM/DEB package ideas and the
BSD Ports system together.
This looks like the next evolution of package management