Weekly Edition
Return to the Front page
| |||||||||||||
OLS: An introduction to Conary
Specifix, a company founded by a
number of early Red Hat developers, recently came out of hiding. At the
2004 Ottawa Linux Symposium, Eric Troan gave a presentation on Conary, the
company's system for package, repository, and distribution management. It
was a technical talk from the beginning to the end; Eric would not talk
about Specifix's business model even when asked (though he offered to do so
in private). If nothing else, he understands what the OLS crowd is looking
to hear.
Package management systems have come into use in almost every distribution out there. They are a clear step up from what came before, but, as Eric pointed out, significant problems have been building for years. These include:
Conary was developed as a way of addressing the above limitations and to make it possible for users to create their own, customized distributions in an easy manner. In the simplest sense, one can think of Conary as a package management system with a more consistent view of objects from the repository level down to individual files, combined with a version management scheme. Conary treats files as "first class objects," which are managed by the framework as a whole. Files have a unique ID and a version history; they also have a set of attributes. One of those attributes is the file's location in the filesystem; moving a file is a simple matter of changing that attribute. A "trove" is a container holding one or more files and other troves. Files are contained by reference. A "component" is a collection of files, by reference. Example components listed by Eric for the bzip2 package might be bzip2:runtime (binary files to run the program), bzip2:lib, bzip2:doc, and, of course, bzip2:source. Components can be aggregated together into packages. Both components and packages are considered to be "troves," for what it's worth. Version strings are hung onto everything; Specifix has added some complexity to the versioning system, though. Each version string includes the repository name, a namespace (think of it as a distribution name), a branch name (for the creation of trees in the version space), the upstream package version, and a two-part local revision number. Needless to say, the version strings get long, but the system hides the full string most of the time. Creating versions in this way allows the system to easily determine which version of a package is the newest, which version of which distribution is built for, and so on. Branching is done by adding a branch name to the version string. Branching allows the tracking of versions of packages which were shipped with a specific distribution, along with updates to those packages. There is also a special type of branch called a "shadow" which tracks changes to the trunk it was branched from. Essentially, the shadow is automatically merged with each new version of the trunk it is following. This feature would be useful for somebody maintaining a derivative distribution; they want to keep up with what the source distribution is doing without losing track of their own changes. The only problem with shadows is that, like a number of other Conary features, they are not actually implemented yet. "Flavors" are another Conary feature; they seem to be patterned after Gentoo's "USE flags." A flavor is a set of configuration options describing how all packages are to be built. This feature is used for multiple architecture support, or for building versions of distributions with different feature sets (e.g. creating a distribution without PAM support). Multiple flavors of a package can be installed on a system if they don't conflict with each other; this allows, for example, the installation of 32-bit libraries on x86-64 systems. Then, there is the concept of "changesets." A changeset is a collection of modifications to files (including attribute changes) and the troves which contain them. A changeset is, essentially, a patch to a package or a distribution. Changesets, which track only changes, can be much smaller than the packages they describe, and can thus be an efficient way of distributing updates. Changesets describe changes to configuration files in diff format, which often allows them to be merged automatically with local changes. A system administrator can also create a changeset describing his or her local changes to the system; that changeset can then be used for merging with updates, or replicating the system elsewhere. Local changesets can also be used for version control and the tracking of system changes. "Tags" are Conary's answer to the package script problem (and, also, to the complex set of interactions represented by the RPM "trigger" mechanism). A tag is a file attribute describing the type of the file, be it "shared library," "info file," or any of a long list of alternatives. Most files can be tagged automatically by Conary. Tags have scripts associated with them; there is, for example, a script which handles the installation of an info file and updating the relevant directory. These scripts are distributed separately; there is only one copy of them on the system. The scripts are thus easily fixed when bugs turn up, and they can be customized by the local administrator if need be. Separating out the management scripts in this way should also make it easier to install packages from other distributions. A "fileset" is an arbitrary collection of files built from components in the repository. Filesets seem to be intended to help in the creation of small system images for embedded systems; they allow an easy picking and choosing of an exact set of desired files. "Groups" are, instead, the analog of the Debian "task" or Anaconda "component." They allow the management of several packages as a unit, but they come with their own local changesets so that local changes to the group are tracked properly. The paper from the OLS proceedings (PDF format) is worthwhile reading for anybody wanting more details on how Conary works. Interested parties can download an early Conary release from the Specifix web site. Be warned, however, that a few features are still missing; they include shadows, dependencies (an important issue that they "think" they know how to implement), flavors, package signatures, and more. "Release early" is an important part of the free software development process, however, and the Specifix founders understand that process well. Conary's vaporware features will, beyond doubt, be filled in soon. As that happens, expect interest in this tool to increase; it truly does have the potential to change the way we set up and manage our projects, distributions, and systems. (Log in to post comments)
Expertise Needed Posted Jul 28, 2004 17:13 UTC (Wed) by ccyoung (guest, #16340) [Link] Being a Mere Mortal myself, I would like to see a little bit of expertise built in from the beginning, instead of patched on top later.In the exhausting list of attributes, why not "Intelligent Questions", letting a trove instantiate as many question/answer sets as it chooses, perhaps mapping to flavors or whatever - but something that allows others' expertise to effectively filter to MM's like myself. Nobody has time to be good at everything.
Intelligent Questions? Posted Jul 29, 2004 2:16 UTC (Thu) by hazelsct (guest, #3659) [Link] It's not quite clear what you mean here. Do you mean something like debconf questions (which I like to think of as "wizards done right") which the installer asks of the admin during package installation or reconfiguration? Yes, it would be nice if such things could be designed into the package system from the beginning. If this isn't what you mean, please clarify.
Is it gonna be a bitkeeper? Posted Jul 28, 2004 18:09 UTC (Wed) by rknop (guest, #66) [Link] No talk about the business model?Any talk about the licence this thing will be released under? Obviously, if it's not an open source licence, it's not going to be adopted by many distributions no matter how technically nice it is. It's a lot easier to convince just Linus than it is to convince (say) the Debian voters to use a proprietary pacakge.... -Rob
Is it gonna be a bitkeeper? Posted Jul 28, 2004 18:26 UTC (Wed) by corbet (editor, #1) [Link] The business model has to do with professional services and maintenance of custom distributions and repositories. I think.And yes, Conary is free software, no worries there.
no; it's free software. Posted Jul 28, 2004 18:48 UTC (Wed) by mattdm (subscriber, #18) [Link] It's released under the OSI-approved IBM CPL, which is basically GPL-like with some additional patent-related stuff.
no; it's free software. Posted Jul 29, 2004 8:04 UTC (Thu) by angdraug (subscriber, #7487) [Link] CPL is yet another GPL-incompatible license. When will you people understand? There are only 3 free software licenses to choose from: X/MIT, GPL, and LGPL. Anything else is harmful to the free software movement: any marginal gains are completely overshadowed by license incompatibilities, user confusion, and legal risks.
no; it's free software. Posted Jul 29, 2004 8:35 UTC (Thu) by ekj (subscriber, #1524) [Link] I think you're forgetting some of the variants of BSD-licensing, some of which is GPL compatible, (in the sense that you can take code under that license, and legally incorporate it as part of a GPL project) it's hard to see how exactly that is harming free software.I agree with you that being "different" in itself is a huge minus for a license, even when the terms by themselves are acceptable, there's always the issues of user confusion and incompatibilities between different licenses.
no; it's free software. Posted Jul 29, 2004 10:32 UTC (Thu) by angdraug (subscriber, #7487) [Link] Please, check the link to the licensing discussion. I've put it in my post for a reason. BTW, I forgot to add fragmentation (as opposed to diversity) to the list of harms license incompatibility brings.
on overlooked links Posted Jul 30, 2004 21:28 UTC (Fri) by giraffedata (subscriber, #1954) [Link] Please, check the link to the licensing discussion. I've put it in my post for a reason.It would be good if that reason were evident from the post itself. In this case, you just hyperlinked the wrong text. The text X/MIT, GPL, and LGPL does not say "licensing discussion." It suggests a link or links to descriptions of three licenses. In this case, the text There are only 3 free software licenses would have been better text to hyperlink, and "as discussed here" would be even better. I don't know about you, but I virtually never click on every hyperlink in a document. I have to have some clue it's something I want to read.
on overlooked links Posted Aug 3, 2004 14:56 UTC (Tue) by angdraug (subscriber, #7487) [Link] You're right, my links could have been more obvious. I don't know about you, but I virtually never click on every hyperlink in a document. I have to have some clue it's something I want to read. When I'm interested in the subject, I usually dig deep enough to understand the point. When I'm not interested, I don't bother to read comments at all.
no; it's free software. Posted Jul 29, 2004 13:16 UTC (Thu) by mattdm (subscriber, #18) [Link] When will you people understand? [emphasis added] Who are the "you people" you are talking about? It's an OSI-approved license, for goodness sakes. I would really appreciate it if people would keep these ideological discussions off of the LWN comments. It's good that these discussions exist, but this isn't a useful place for them. Write a guest editorial if you want, but otherwise, post to slashdot or kuro5hin or somewhere. (Or perhaps better in this case, contact the OSI/Debian and try to convince them.) Let's keep the comments here to points of fact. (Is that an official rule? No. It'd just be nice.)
no; it's free software. Posted Jul 29, 2004 16:12 UTC (Thu) by angdraug (subscriber, #7487) [Link] Who are the "you people" you are talking about? You in particular, and other people who shrug off license incompatibility as a non-issue. It's an OSI-approved license, for goodness sakes. OSI isn't God, they aren't even omniscient. Even worse, it is their practice of blindly approving problematic licenses that created this problem in the first place. It all started when they let Netscape get away with MPL instead of convincing them to use GPL. Isn't it ironic that Mozilla project was eventually dual-licensed under GPL anyway? I would really appreciate it if people would keep these ideological discussions off of the LWN comments. It is not merely ideological as long as it has far-reaching practical consequences. I apologize for inflammatory tone of my comment, but I still think that usefulness of a license chosen by a new free software project is relevant to the discussion of this project.
no; it's free software. Posted Aug 6, 2004 12:52 UTC (Fri) by dash2 (guest, #11869) [Link] Gordon Bennett. Even the Gnu people themselves encourage Perl developers use the Perl license rather than the pure GPL.
Is it gonna be a bitkeeper? Posted Aug 9, 2004 5:33 UTC (Mon) by mbp (guest, #2737) [Link] At the moment they say they plan to keep the Conary software free and to make money using it rather than from it.
Nobody knows what will happen in the future: maybe it will stay free; maybe it will go proprietary; maybe they'll drop it altogether. Their intentions sounds good, and if the worst happens then the licence permits forking.
Remember bitkeeper started out with a free-ish licence originally, and then they changed.
OLS: An introduction to Conary Posted Jul 28, 2004 19:07 UTC (Wed) by boudewijn (subscriber, #14185) [Link] Am I the only one who only noticed that it is _conary_ not _coronary_ nearthe end of the article? It's as bad as kroupware...
OLS: An introduction to Conary Posted Jul 28, 2004 22:10 UTC (Wed) by jre (guest, #2807) [Link] I looked through the Specifix site and technical presentation, and found no explanation of why they chose this name.It is an Irish place and family name, so it may have sentimental appeal to someone at Specifix. Or maybe we are now consing sylbles, as in "Conary arty blage."
Had me going there Posted Jul 29, 2004 3:20 UTC (Thu) by ncm (subscriber, #165) [Link] It looked like it might be interesting until that last paragraph. Saving design of dependency processing for last is not a good way to end up with an advance over dpkg.
Strawman problems or poorly done homework? Posted Jul 29, 2004 8:28 UTC (Thu) by angdraug (subscriber, #7487) [Link] Repositories are an afterthought. Debian pools are definitely not an afterthought. It is elegant, effective, and extensible solution. What's wrong with it? The version scheme used by most package managers follows a straight line model; there is no provision for branches. I don't see any advantage in cramping all the versioning, branching, and tagging information into a package version, as opposed to managing this separately. I like Monotone's idea of using SHA1 for a version: if the file is the same, its version should be the same no matter in how many branches it is available. Packages contain scripts which handle parts of the installation and removal process which go beyond the simple management of files. At a certain level of complexity, some things are better done as scripts, as opposed to declarative programming. Either you try to provide a better scripting environment to solve these tasks, or you go the route of XSLT.
Strawman problems or poorly done homework? Posted Jul 29, 2004 12:48 UTC (Thu) by angdraug (subscriber, #7487) [Link] I also noticed that the whitepaper carefully walks around ever mentioning APT. I can understand people who don't know anything about Debian package pools, but no mention of APT?
Strawman problems or poorly done homework? Posted Jul 29, 2004 15:54 UTC (Thu) by vmole (guest, #111) [Link] Debian pools are definitely not an afterthought. Debian pools are absolutely an afterthought. The fact that they are a really good solution to the problem doesn't change that. We lived for years with seperate trees for each release. The entire Conary article reads like someone is trying to solve the random RPM problem, where "repositories" are simply piles-of-files, and has never seen the Debian solution. I know that's not true, so my guess is it's a way of making Specifix look like they've solved more problems than they have. This is unfortunate, because based on the article, they are solving problems that the Debian system doesn't. I do agree with the previous that leaving the dependency problem for "later" is likely to be a really bad idea. But the RPM developers have never given the problem the respect it deserves, much to the pain of their users.
Triggers in dpkg/APT? Posted Jul 30, 2004 1:15 UTC (Fri) by AnswerGuy (guest, #1256) [Link] One think I'm curious about. Is there support in the Debian packaging system for triggers (like RPM has)?Triggers don't seem to be widely used (packager ignorance?) but they seem like a neat idea. With some carefully designed standards among packages (Consider: you install a mail user agent (MUA) which registers a trigger on the virtual package MTA. When any MTA is installed, the trigger runs a script which invokes the MTA's own MUA registration script. Now all MUAs can have some setting adjusted when an MTA is replaced. All of the MUAs "know" whether the system is using mbox, maildir, or MMDF system mailboxes --- for example). (Sorry if the example is silly --- better examples might relate to registration of menu items and icons in window managers or something). JimD
Triggers in dpkg/APT? Posted Jul 30, 2004 13:08 UTC (Fri) by frodonl (subscriber, #16826) [Link] While I don't know about any triggers functionality in the Debian packaging system - I never needed them, so I never really searched for it, Debian does define a standard way to create menu items, called the Debian Menu System. It works by postinstall and postrm scripts calling one central command (update-menus) that will call the menu-update scripts for the various packages that use "menu managers". Grtz, Frodo
Triggers in dpkg/APT? Posted Aug 3, 2004 16:43 UTC (Tue) by angdraug (subscriber, #7487) [Link] Assessment of triggers is the one thing in the Conary whitepaper that I tend to agree with. Triggers require that too many packages know too much about each other: this creates more complexity and points of breakage than it's worth. Think of it as dependency hell on drugs.
This looks like the next evolution of package management Posted Jul 30, 2004 18:35 UTC (Fri) by X-Nc (guest, #1661) [Link] After a general once-over, and some poking around, I think the idea of Conary looks good. I've always been of the idea that there might be a way to bring the RPM/DEB package ideas and the BSD Ports system together.Ports is great with the exception of one thing; it's source based only. Linux distros like Gentoo, Lunar Linux and the Sourcerer based ones bring the Ports idea to Linux but still are based on source code only. The other side of the coin is the RPM/DEB packages with apt and yum manageing them. They work nicely but don't provide for multiple versioning of packages and easy integration of custome packages built outside of the apt/yum repositories. Conary has some definite potential. I'd like to see what it looks like when it's finished. It could be the next big step for Linux and open source in general.
|
|||||||||||||