Date: Mon, 23 Oct 2000 12:19:38 -0700 From: Tim Kientzle <kientzle@acm.org> To: Alexander Langer <alex@big.endian.de>, libh@freebsd.org Cc: "Jordan K. Hubbard" <jkh@freebsd.org> Subject: Re: BOF at BSDCon: FreeBSD Installer, Packages System Message-ID: <39F48F4A.38D458C2@acm.org> References: <39DCC860.B04F7D50@acm.org> <20001006155542.A29218@cichlids.cichlids.com> <39F3CDD7.15B889E7@acm.org> <20001023190412.B507@cichlids.cichlids.com> <39F47E98.4BB647AA@acm.org> <20001023202244.B10374@cichlids.cichlids.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander Langer wrote: > I've set up a small webpage what describes everything you need to > begin with libh. > http://people.freebsd.org/~alex/libh/ Well, looks like I'll not be contributing for a while, then, given that upgrading to 4.1 is not yet a real possibility for me. (Downtime plus the inevitably painful package upgrades that have followed every update I've done. ;-) However, I noticed that you repeated Jordan's initial draft specification. I can give a little feedback on that: * ZIP access? Have you written your own, or just incorporated pre-written libraries? The official ZIP specification puts all of the archive directory information at the _end_ of the archive; which is not particularly compatible with streaming. (In particular, you can't easily get a list of all files from a streamed archive without simply going through the entire archive; in this respect, ZIP is not an improvement over tar.gz.) Also, have you done anything to address ZIP's relatively poor compression? (tar.gz files are consistently much smaller than ZIP files; this is very important for package/distribution files). Finally, does the ZIP implementation you're using support hard/soft links? (Some packages rely on links heavily; just duplicating the files is not a good idea.) A better approach, in my opinion, is to stick with tar.gz, but with a slight twist: put the manifest/package definition information first (possibly just a free-form text file and/or install script?) followed by the tar.gz data. That gives you the package/distribution info up front where you need it, while preserving tar.gz's tight compression for the bulk of the data. tar.bz2 might be even better, though I'm unsure of the status of the bzip2 compression algorithms. * Consolidating package/distribution formats needs to be done carefully. In particular, there are different security issues: e.g., packages should generally be prohibited from dropping bits into /bin or /etc. * An idea that gets floated around periodically, but never apparently taken seriously: packages should install into private directories. /usr/local is becoming a real tarpit. Instead, package foo-3.4 should be contained _entirely_ (with few exceptions) in /usr/packages/foo-3.4/ Many people (including myself) have experimented with this type of scheme, and it simplifies a lot of issues: * it removes the need for a temporary installation directory, while still permitting easy rollback * simplifies a number of security issues (for example, you can compute an MD5 checksum of the tar.gz data while unpacking it to the target directory and simply delete the entire directory if the checksum fails) Handling these issues while still supporting streaming is tricky without this sort of framework. * It removes much of the need for a separate "package database". In particular, very few individual files ever need to go into such a database. Feedback appreciated... - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-libh" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39F48F4A.38D458C2>