Autopackage is an attempt to bring a universal installer to Linux systems. However, to me, it is the wrong approach. Why?
- First, and most trivially, it doesn’t come preinstalled on most distributions (yet). That means that the first .package file that you download has to be set to be executable with chmod +x, and then you have to run the package itself (which automatically installs autopackage on your system.) However, if you can do all of this, then why do you need a handholder in the first place? Why not just use Adept or Synaptic?
- Second, and more importantly, (once setup) it gives unknowledgeable users the ability to download and install packages from anywhere on the internet. Not only that, but during installation, it asks for your root password. This is guaranteed to be exploited if adoption grows significantly. One of the tremendous advantages of the Linux repositories system is that software within the repositories has been vetted; you can assume that it is safe. Of course, you need to have enough packages in the repository to give users the flexibility that they need, but that has not proved to be a problem.
- Finally, it currently cannot resolve dependencies on the fly; how could it? It doesn’t know about repositories; it doesn’t know about apt or urpmi; therefore, if the package that you are installing requires, e.g., lib-c++2.5 and you have lib-c++2.3, you’re screwed.
While we’re on the subject of installers, what about the Mac OSX option? Personally, I find that hideous. Yes, I just download something, double click on it, and drag the application to somewhere…but god, how unintuitive. Windows’ solution is 10x better than that…just download and doubleclick!
My solution: I think KDE and Gnome should build the ability of Synaptic right into the DE; I go to my K menu, select Office, and notice that I don’t have anything to create presentations in. Why can’t I just click an “Install More Office Software” option? Once I click that, it brings up a streamlined GUI, and lets me click to install. *If I want*, I can click the “advanced” tab, enter the root password, and install system wide, but by default I should be able to install user-locally.
Why not? This approach takes advantage of the repositories that already exist, makes installation *easy* for first timers, and gives you enormous power to add new software that you don’t have on either Windows or OSX (finding it in the first place!) And, of course, it’s secure; the software comes from repositories; ergo it’s safe.
Related Comments (5)
Hello,
I’m a developer from the Autopackage project. Just wanted a chance to respond:
And how is this our problem? We’ve tried to get the Autopackage support code into distros, and been turned down every time. Bugs we file that would make it possible to install software into /usr/local are closed WONTFIX, and posts to distro mailing lists about distro bugs spiral into Autopackage flames. You can create “sealed” Autopackages, which means that the Autopackage support code is included with the package. When you run the package, the support code is installed automatically without having to download anything.
I’m not sure what you mean by “Use Adept or Synaptic”, so I can’t respond to that…
Mike Hearn (the maintainer of Autopackage) wrote a blog entry about Autopackage and if it’s secure. Read “are distros secure?” in that post. Are distros really secure? No, not really.
This can be argued either way. One of the reasons that Linux/UNIX does not have a huge epidemic of viruses is that programs are not writable by the people who run them. In the Windows world, a program has write access to all the other executables and DLLs on that machine, making it easy for viruses to spread from one program to another. In the Linux world, all binaries are owned by root, but run by other normal users. Therefore, infection cannot spread from one binary to another.
Autopackage allows you to install programs locally into $HOME. Just click “No Password” when prompted for your root password.
Actually, it can resolve dependencies on the fly. Try a package like GScore or AbiWord or OpenTTD or LincityNG.
Autopackage resolves dependencies through a distributed network, instead of relying on a repository. The autopackage contains information about where the latest version of its dependencies can be found. If the dependency is not available on the local system, then it is automatically downloaded and installed. This way, Autopackage is not reliant on any sort of centralized repository.
Aside from those points, I’d like to point out that as it is a stupid user can grab a .deb or .rpm for any old thing and install it on their system (provided they grab the right kind of binary). This doesn’t make them any more likely to get hit with a virus. It’s a universal binary. Any jerk can write a program that’s a virus, claim it’s a great new game, and package it as a .rpm. Next thing you know, any Fedora user who clicks it is screwed. Ditto on .deb. Any binary can have that problem, and unless you READ the source of every program you compile, even the source ones can be bad news. I call FUD on the “it’s not secure” claim.
Oh, how is Windows’ “download and double click” any different than what Autopackage does? Windows makes you hit “next” 30 times. Autopackage is even easier. It just goes.
I agree; autopackage is dumb.
At least if a virus writing jerk makes a Fedora package, it probably won’t affect the type of Ubuntu user dumb enough to want to install it, and vice versa.
At least a deb file isn’t an executable.. it’s an archive. I can inspect it and see what it will install easily. On Windows, I must run executables–ones that I cannot even attempt to inspect–as root to install things all the time, and that makes me edgy! I can’t wait to feel the same way about Linux, amirite guys?
At least our existing repositories don’t promote a double click and run mentality that has plagued Windows. Those people are coming to Linux and soon. Do we really want to welcome them AND their old habits? The software in the repositories is safe, and the newbies should/will stick to that until they realize they don’t have to. I hope that by then, they’ll understand that they should be cautious about where they get their software.
At least our current packaging system keeps our software up to date.
All in all, Autopackage seems like a big step backwards. It’s the Windows way for Linux, and I feel like Windows got everything wrong about packaging. OS X style application bundles seem like a better approach to distribution agnostic packages to me. But I definitely feel like every open source app developer should strive to get their software in distributions repositories where users feel like they can trust your software, install it easily, and have it updated automatically.
The Autopackage people are right to want to define “Desktop Linux 1.0″ though.
[...] read more | digg story [...]