Poettering: Revisiting how we put together Linux systems

Yes, the powershift will be towards the desktop communities. The run time would be maintained by GNOME, KDE and whoever else. Morever, they will be on the hook to providing those security fixes, bug fixes and what not. It is a pretty awesome responsibility for these projects.

Well, my examples use GNOME and KDE as the guys who put together runtimes. But anybody can do a runtime. I'd expect that in many cases the distributions provide a number of runtimes. THink of Fedora putting together a FedoraWebRuntime or so, which consists of the usual stuff to do web development with, PHP, Python, Ruby and so on...

But it's not just the desktop projects and the distributions that can put a runtime together. Let's say you are building a phone platform. Great! So you put together your PHONE_PLATFORM_1_0 runtime, and everybody who writes apps for your platform links against that. You do a couple of CVE fixes for that runtime, hence you do minor updates to it. But eventually, you want to introduce new functionality, so you do PHONE_PLATFORM_1_2, and then your apps link against that. But the old apps continue to work, because you can keep them both around easily.

And similar I figure the IVI people could agree on a runtime. Or if you are a TV manufacturer you can do a runtime for your series of TVs, and people can hack against that.

And even certain smaller open source projects could define their own runtime, like let's say some media center thing like XBMC or so. They could do a runtime for their major releases, that people can write plugins a again, and then support a couple of the runtimes in parallel.

And so on, you get the idea.

And note that runtimes are not necessarily something you completely make up of thin air. If you did, you would make yourself a lot of work, because then you have to do CVE fixes and shit, which most people don't want to be burdened with. So if I'd be KDE or GNOME I would build my runtime out of existing distro packages. That way, one can take benefit of the good work the distros already do in the CVE area. And then I pick a couple of packages that I think should make up my runtime, and there you go. Or you could even base your runtime on some packaged stuff you get from a distro (so that you don't have to maintain glibc yourself), but then you add compiled versions of the libraries you actually care about yourself. IF you do that, you can take benefit of the CVE work of the distro you built on, and only have to do the CVE work for the stuff you added yourself on top.

That all said, I ultimately don't think that one the usual desktops we will really see that many different runtimes. My hopes at least is that there will be KDE's and GNOME's and maybe a couple of more, but that would be it. And I think this will be self-regulating a bit, since these will be well maintained, and you will get frequent CVE updates for a long time for, and that are likely already installed on your system when you first installed it. If apps otoh pick random exotic runtimes, then this would already mean a much bigger download since you would have to get the runtime first.