×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

0install Reaches 2.0

timothy posted about 2 years ago | from the whole-and-even-and-prime dept.

Open Source 61

tal197 writes "Zero Install, the decentralized cross-platform software installation system, announced 0install 2.0 today after 2 years in development. 0install allows authors to publish directly from their own web-sites, while supporting familiar features such as shared libraries, automatic updates, dependency handling and digital signatures. With more than one thousand packages now available, is this finally a viable platform?"

Sorry! There are no comments related to the filter you selected.

A viable platform (-1)

Anonymous Coward | about 2 years ago | (#43078711)

A viable platform for what?

I have no idea what this thing does or why I would use it.

Re:A viable platform (1)

Tarlus (1000874) | about 2 years ago | (#43078757)

Perhaps they mean, as a viable alternative to whatever package management system (or "app store") is unique to your given OS/distro? If that's the case, then my answer would be, no.

Re:A viable platform (1)

ByOhTek (1181381) | about 2 years ago | (#43078803)

Not being familiar with it - why do you say "no"?

OK - it needs to have sufficient software, but aside form that, an much-platform software package manager sounds rather nice, compared to the usual "this is my playground and my playground ONLY" crap.

Re:A viable platform (2)

shadowrat (1069614) | about 2 years ago | (#43078987)

i think the parent was pointing out that apple is never going to allow a 3rd party package manager on ios. because of their success, it looks like the other players (ms, google, etc) are trying to get a similar ecosystem. So, while the project seems like a good idea, the bleak future may be devoid of platforms where such a project could be installed anyway.

Great Ideas Fail All The Time (2, Informative)

Anonymous Coward | about 2 years ago | (#43079013)

It's similar in concept to a decentralized app store or repository. It sounds like a great idea. It sounds like it free your system from the "clutches" of your distro's repository.

But, like many other great ideas, it fails in the cold daylight of reality.

In order for it to work, the software developer has to not only publish their software on the Zero Install system, they have to publish their software for ALL the distros on it. But, we all know well that most software developers regard this as far too cumbersome an undertaking and will instead publish only a single or couple of binaries. That leaves out countless other distros and causes the Zero Install concept to fall apart.

But, there's another issue. Most distro repositories don't simply have 1,000 apps. They have multiple thousands of apps. And all of those apps are compiled specifically for that distro and therefore "guaranteed to work" with your distro.

Simply put Zero Install lacks enough apps, for enough different distros, for anyone to really care about it. It's a niche player in a shrinking pool.

I am reminded of an RPM based alternative package manager distro that was "so much better" and was adoopted by several big players. It might have had live kernel patching too. Yet I cannot remember the name or find it with my Google foo. It was supposed to change everything because it was so much better and, although I'm sure it's still around, "nobody" uses it.

Re:Great Ideas Fail All The Time (1)

tal197 (144614) | about 2 years ago | (#43081865)

In order for it to work, the software developer has to not only publish their software on the Zero Install system, they have to publish their software for ALL the distros on it. But, we all know well that most software developers regard this as far too cumbersome an undertaking and will instead publish only a single or couple of binaries.

Of course, that's not an issue for programs written in Python, Ruby, Java, etc.

For C, you can also publish a source version and let the users compile (with 0install handling the build dependencies). Also, if someone wants to set up a build farm for a particular platform, they can use these source packages to create binaries automatically (e.g. for PPC binaries).

Producing separate binaries for different distributions (e.g. Ubuntu and Fedora) isn't necessary; one binary should work everywhere. The exception would be if the distributions compiled the libraries with incompatible options, but that doesn't tend to happen these days. If it does, specify the dependency as distribuion="0install" to force the use of a 0install version rather than the distribution package.

Re:Great Ideas Fail All The Time (0)

Anonymous Coward | about 2 years ago | (#43082273)

Producing separate binaries for different distributions (e.g. Ubuntu and Fedora) isn't necessary; one binary should work everywhere.

Ahahahahahahah

Re:Great Ideas Fail All The Time (2)

Yfrwlf (998822) | about 2 years ago | (#43095579)

You're confused and don't understand what Zero Install is. Maybe the feature list needs to be worded better, but it is infinitely better than "an RPM alternative" because it can run ALONG SIDE an existing package manager. Zero Install can be used on ANY DISTRO and can ADD TO that distro, so it will expand the number of packages that are accessible to users. If I release my software for Zero Install it means any user will be able to install it easily, get automatic updates, uninstall it easily, potentially share libraries with other programs, etc. That is better than a bunch of binaries laying around because you don't get all those features and nice cleanup with just releasing an archive of a binary your users run, and then you'd have to implement automatic updates in your binary as well.

So who cares if Zero Install doesn't have every app under the sun yet, the key part is that every app it does have will be available for anyone to use in any distro as long as those files and dependencies are hosted.

No more "you can't run this because you don't have glib.blahblahpoop", as long as it was packaged with the dependencies it will work for all Linux users.

Linux needs to be a proper single platform to unify community software efforts. I don't want my software to go unused and to not be of help to anyone just because 1970's UNIX fragmentation BS gets in the way of things.

Sounds great to me (1)

h00manist (800926) | about 2 years ago | (#43185605)

Seems to help programmers a lot. They can publish on their own site a single set of files and specifications for all platforms to manage installation and package creation. Packaging teams can use it to make their life easier.

Re:A viable platform (0)

Anonymous Coward | about 2 years ago | (#43078835)

Thanks for the explanation.

I am happy with my current package management system (synaptic and the other wossname in Mint)... But since they don't want to replace it, but instead just compliment it, I see no objection.

My biggest objection is that I do not trust anything on the internet... I wonder who is doing the quality control, to keep the spyware (mostly for Windows users I think) or other trash out, and who checks whether software actually works. I only need to find something crappy once, and I will avoid the whole site like the plague...

Re:A viable platform (0)

Anonymous Coward | about 2 years ago | (#43078973)

You don't trust anything on the internet except blindly trusting your distro's package repo.

Who's doing quality control? Hopefully not you.

Re:A viable platform (1)

bluefoxlucid (723572) | about 2 years ago | (#43078793)

That's why you do a decision analysis.

Re:A viable platform (1)

Timmmm (636430) | about 2 years ago | (#43079889)

For publishing software directly from author's web-sites, while supporting familiar features such as shared libraries, automatic updates, dependency handling and digital signatures.

But you're just a typical naysayer, always naysaying.

Q: Is this finally a viable platform? (0)

Anonymous Coward | about 2 years ago | (#43078743)

A: No

1.000 vs. 30.000 packages (0)

Anonymous Coward | about 2 years ago | (#43078811)

I think I'll stick with apt, thankyouverymuch. And cross platform is only useful if you use more than one platform...

Re:1.000 vs. 30.000 packages (1)

Anonymous Coward | about 2 years ago | (#43079191)

The cross platform part is more a benefit for publishers. So if you're publishing a cross platform application, you can use this system to streamline the distribution process. Not a terrible idea though the majority of applications are not cross platform in the first place, so it's hard to see this system being used.

Re:1.000 vs. 30.000 packages (1)

h00manist (800926) | about 2 years ago | (#43185537)

Cross platform is also a major benefit to system administrators.

Over 1000?! (5, Funny)

L4t3r4lu5 (1216702) | about 2 years ago | (#43078853)

That's 1/9th any kind of milestone I will accept as important or impressive. Come back later.

package management (0)

Anonymous Coward | about 2 years ago | (#43078869)

yum or apt-get do a similar thing.. and there is more chance that the installed package will work

Viable? LOL. (-1)

Anonymous Coward | about 2 years ago | (#43078917)

What does this give me that Apple's app store doesn't? Note that I could not give a shit LESS about Windows or Linsux support. I only care about selling my software to the only desktop platform that matters.

Re:Viable? LOL. (0)

Anonymous Coward | about 2 years ago | (#43078961)

You mean you only care about the platform where users actually buy* software? I'm shocked!

Windows users will pirate your software.
Linux users will expect your software to be gratuit and libre**.

French words need to be used because english is an imprecise language designed for the lowest common denominator.

Re:Viable? LOL. (1)

fnj (64210) | about 2 years ago | (#43080689)

French words need to be used because english is an imprecise language designed for the lowest common denominator.

Sheesh. English is just as precise if you use it correctly. In some particular cases you may need to use a few more words. Words are free; don't be afraid. Anyway, if you want to be absolutely anal about precision, you want German, not French.

For "gratuit", just say "free of cost" or "free of charge".

For "libre" just say "free to inspect and modify the source".

Re:Viable? LOL. (0)

Anonymous Coward | about 2 years ago | (#43087527)

The fact that you need more than one english word to describe a single french word should give you a hint.

Re:Viable? LOL. (1)

Chris Mattern (191822) | about 2 years ago | (#43081327)

French words need to be used because english is an imprecise language designed for the lowest common denominator.

Aw, your French pride is hurt just because you don't get to say, "Free as in beer".

What a name (1)

Anonymous Coward | about 2 years ago | (#43078933)

Something about calling your installer platform "Zero install" seems disingenuous. :)

Though the summary mentions something I've been thinking a lot about lately, and that's shared libraries. 99.5% of the time when I have trouble getting something to work in linux it comes down to a nasty spaghetti-like mess of libraries and their recursive dependencies. Sometimes some pieces of software have difficulty coexisting because they depend on different versions of supporting libraries.

I understand that a lot of package managers do a lot of work to solve these problems but every modern Linux system I've used seems.. Fragile. As in it doesn't take much to topple the careful house of cards the package manager has constructed, and turn the whole install in to an unusable mess.

I understand the benefits of shared libraries, but storage space is dirt-cheap today and I think a lot of problems might be solved simply by letting lots of pieces of software bundle their favorite versions of dependent libraries. You know, the "app store" approach where each application lives in it's own sandboxed little world. I know there are security implications to having old libraries laying around, but sandboxing does seem to do a pretty good job at mitigating damage.

I know people have issues with Apple and their app store, but damn is it ever easy to download and run software. Which is the point of having a computer. Right?

Re:What a name (1)

iroll (717924) | about 2 years ago | (#43080201)

So apps from the App store don't use the shared libraries provided by the operating system? Which are updated by the operating system's update utility? News to me.

Re:What a name (5, Interesting)

Jeremi (14640) | about 2 years ago | (#43080781)

I understand the benefits of shared libraries, but storage space is dirt-cheap today and I think a lot of problems might be solved simply by letting lots of pieces of software bundle their favorite versions of dependent libraries.

Or, how about this: Instead of linking to shared libraries by their filenames, applications specify the shared libraries they'd like to link to via md5 hashes of the libraries' contents. The linker checks its shared-library database-index (which could just be a directory whose directory-entries are md5 hash codes) to see if it has a shared library with that md5 hash installed; if yes, it links the application process to it; if no, it auto-downloads the shared library with that hash from the web repository, installs it, and then links the application process to it.

The advantages would be:

No library collisions, ever (well, to the extent that md5 hashes are unique, anyway).
No version mismatches, ever (each app will always run using the libraries it was built against, and no others).
No mucking about with LD_LIBRARY_PATH (as all shared libraries are auto-stored for you
No manually installed missing libraries (they will instead be installed as necesary, on demand)
No space wasted by multiple copies of the same library present on your disk at once

Some possible disadvantages:

No way to "patch" behavior of multiple applications by upgrading only a shared library they link to (you'd have to upgrade each of the applications instead, so that they reference the new library version's md5 hash)

Possible security issues from auto-installing shared libraries with malicious code (although arguably you either trust a developer enough to install his program, or you don't; the mechanics of how different parts of the program are installed aren't necessarily relevant)

Re:What a name (1)

tal197 (144614) | about 2 years ago | (#43081731)

To get the hashes of the latest compatible versions, you could use 0install. e.g. to find the hashes for the dependencies of the SAM program:

$ 0install select http://www.serscis.eu/0install/serscis-access-modeller
- URI: http://www.serscis.eu/0install/serscis-access-modeller
  Version: 0.16-post
  Path: /home/tal/work/serscis-access-modeller/serscis-access-modeller-any-any

  - URI: http://repo.roscidus.com/java/iris
    Version: 0.6.0
    Path: /var/cache/0install.net/implementations/sha1new=daf7bfada93ec758baeef1c714f3239ce0a5a462

  - URI: http://repo.roscidus.com/java/swt
    Version: 3.6.1
    Path: /var/cache/0install.net/implementations/sha1new=bb9479c20f7684b9423be7d76194929e9b6fb690

  - URI: http://repo.roscidus.com/utils/graphviz
    Version: 2.30.1-1
    Path: (package:arch:graphviz:2.30.1-1:x86_64)

  - URI: http://repo.roscidus.com/java/openjdk-jre
    Version: 7.13-2.3.7-2
    Path: (package:arch:jre7-openjdk:7.13-2.3.7-2:x86_64)

(so, on my system, graphviz and the JRE are provided by the system, while IRIS and SWT give the required hashes)

Re:What a name (1)

TheRealMindChild (743925) | about 2 years ago | (#43082469)

This defeats one of the "selling points" of using a dll. When functionality improves, the library is updated and all consumers of that library benefit from it. Locking in a specific version via hash would be functionally no different than just statically compiling the library into the binary. Then what is the point at all?

Re:What a name (1)

Jeremi (14640) | about 2 years ago | (#43087827)

This defeats one of the "selling points" of using a dll. When functionality improves, the library is updated and all consumers of that library benefit from it.

Yes, you're quite right, but that's a tradeoff that might be worth making. Upgrading a shared library that an application already is using is a risk, since after the upgrade you are running an application in a configuration that its developer never tested against. Better perhaps to have the developer upgrade his application to the new version of the shared library, let him test it thoroughly, and then when he has released his new app version, download it (at which point it would auto-download the new shared library version that it is linked against).

Locking in a specific version via hash would be functionally no different than just statically compiling the library into the binary.

True.

Then what is the point at all?

1) Avoid any chance of "DLL Hell"
2) Save disk space
3) Reduce download size
4) Allow the use of LGPL libraries in non-(L)GPL software

But mostly (1). Keep in mind this idea is an alternative to the previous poster's suggestion of packaging a copy of every shared library along with the application that uses it -- which would also be functionally equivalent to static linking, but without the benefits 2 and 3.

Re:What a name (1)

Yfrwlf (998822) | about 2 years ago | (#43105097)

With Zero Install the packager can make the dependencies be whatever they want includiong the version numbers. If they didn't trust a library to not break things, they could even set the version == (require only that version and no other) if they wanted. The user can also force different versions to be used than the recommended one in case they ever disagreed with the packager.

Re:What a name (0)

Anonymous Coward | about 2 years ago | (#43084847)

Hi, yes, your solution has all the performance and complexity problems of dynamic linking while being even less flexible than static linking.
Do the opposite. Link applications statically. Distribute linkable objects and invoke the linker as the final step of installing a program from a binary package. Most of the benefits of dynamic linking and missing only a single benefit of static linking: programs wouldn't be self-contained. But oh well, you can always distribute BOTH the linkable objects and pre-linked, ready-to-run-right-now executable.

Re:What a name (0)

Anonymous Coward | about 2 years ago | (#43091287)

I remeber running across a package manager that did this, I think guix or a similar project.

Re:What a name (1)

KiloByte (825081) | about 2 years ago | (#43107301)

... no security fixes to libraries, ever.

Just read the recent discussion about including golang in Debian. Pretty much just its promoter considered introducing a compiler with no support for proper dynamic libraries to be acceptable, and dynamic libraries accessed via hash are effectively static for all purposes other than disk/memory usage.

If there's a bug in libpng, what do you do? It has thousands of reverse dependencies, many directly and yet more transitively. A good deal of bugs there can be exploited via a crafted image. With static or by-hash linking, you need to rebuild and reinstall world every single time. That's beyond ridiculous.

And if you'd say libpng is not so bad, just ponder a security issue in libc6.

Re:What a name (1)

CastrTroy (595695) | about 2 years ago | (#43080975)

I very much agree with this. The programs (which weren't included with the distro) that I've had the least problems installing on Linux were the ones that thrown in everything in the installer and use all their own libraries. Anything else just leads to dependancy hell. Once, I was trying to install a new version of MySQL server, and couldn't install it because it wanted a newer version of the MySQL client library than what KDE was using. To remove the existing MySQL client library in order to upgrade, I would have had to removed KDE.

Re:What a name (1)

carnalforge (1207648) | about 2 years ago | (#43081167)

Seems you weren't using your distro's packages. If so, you could have installed the new version of MySQL client and server to another path, /opt perhaps. Or did i miss something?

Re:What a name (-1)

Anonymous Coward | about 2 years ago | (#43082091)

sounds like your distro sucks or you weren't using their package manager.

Re:What a name (0)

Anonymous Coward | about 2 years ago | (#43082061)

It's not just a storage space issue, it's a performance issue. If every executable needed its own copy of a library, memory use would increase dramatically.

Slashvertisement? (3, Informative)

UnoriginalBoringNick (1562311) | about 2 years ago | (#43078945)

As the third of tal197's four slashdot submissions was entitled "Zero Install Project Makes 1.0 Release" [slashdot.org] , can I assume this is just an advertisement?

Re:Slashvertisement? (1)

Anonymous Coward | about 2 years ago | (#43079189)

Not to mention that the hyperlink making up his username in that story leads directly to the Zero Install website...

Plus, isn't Slashdot supposed to be a news *aggregator*? Nothing in this story leads to an article, just the project's homepage.

Re:Slashvertisement? (1)

Timmmm (636430) | about 2 years ago | (#43079897)

No; 0install isn't a commercial project.

Re:Slashvertisement? (3, Insightful)

Sez Zero (586611) | about 2 years ago | (#43080003)

No; 0install isn't a commercial project.

You know you can advertise a non-commercial project, right?

Re:Slashvertisement? (1)

dkleinsc (563838) | about 2 years ago | (#43080081)

It's still an advert, this time saying "Please download my project" rather than "Please buy my product". The payoff is the validation from his users that his efforts were actually worth something, rather than cold hard cash.

Re:Slashvertisement? (0)

Anonymous Coward | about 2 years ago | (#43080267)

There are Slashdot posts about software updates all the time. But if it's posted by someone not associated with the project/product it is okay?

Re:Slashvertisement? (2)

dcooper_db9 (1044858) | about 2 years ago | (#43081797)

The best kind of ad, in my opinion. One of the reasons I follow slashdot is to learn about new developments in IT.

A succesful project needs to attract enough developers to keep it going, and that means promotion of one kind or another. The commercial world can buy advertising. Slashdot is providing a valuable service by helping non-profit projects reach out to potential contributors and consumers.

This project is interesting to me because it tackles a problem I'd been considering recently. I use Canonical's repositories to update my software. In many cases Canonical does not include the most recent version of an application in their stable repositories. For example, I found that the stable repositories were a full two releases behind the stable release of KDE. That meant it was not just missing new features, but also missing important bug fixes. The repositories also have Samba 4 Alpha 18 aproximately three months after Samba 4.0 was released. Sometimes I can get the updates from backports, other times I have to go looking for a PPA. Sometimes the newest release isn't even available from a PPA or it's impossible to determine if the PPA is trustworthy.

I'm not knocking Canonical for this. They provide an important and valuable service by reviewing each project and (hopefully) addressing problems before including them in the stable repositories. Many smaller projects have limited resources for testing and while I trust their intentions they might miss something Canonical would catch. But in the case of KDE and Samba, I trust that both organizations have done a reasonable job of testing before they release a stable version. I'd prefer to bypass the central repositories and download new versions directly. It appears that with Zero Access installed I could do that (for supported projects) easily and with minimal risk to my system.

Re:Slashvertisement? (0)

Anonymous Coward | about 2 years ago | (#43084887)

Even so, it is a useful one anyway so it doesn't count as anything even remotely bad.

I'd rather this than Yet Another Microsoft Being Stupid thread, or Hey Now You Can Mine Bitcoins While You Walk!, or the always brilliant, The Pirate Bay Is Now Hosted From The American Government!

Something Useful from a news story is always welcome. Especially if it is actually useful.

No. (1)

vikingpower (768921) | about 2 years ago | (#43078975)

One look at the package list says it all.

Re:No. (3, Insightful)

Timmmm (636430) | about 2 years ago | (#43079909)

I don't think it is designed to be the one-repository-to-rule-them-all, debian style. In fact I think it is partly a reaction to the fact that that model doesn't work well in many cases.

Re:No. (0)

Anonymous Coward | about 2 years ago | (#43080133)

Debian allows for other repositories, Debian style.

Re:No. (1)

Yfrwlf (998822) | about 2 years ago | (#43106659)

Which have to perfectly align with the original ones and can totally mess everything up if you're not careful, a fact I had direct experience with when the xorg-edgers repo completely effed up my installation and even after backing things out I ended up having to reinstall.

Meanwhile, Zero Install keeps each app separated and sandboxed and you could argue that it is better than adding a repo.

I'll be the voice of dissent (0)

Anonymous Coward | about 2 years ago | (#43079007)

I think it looks like a neat idea and I look forward to trying it out when I get home. They may not have a ton of apps yet, but conceptually, I like it.

never heard of it... so.. (0)

Anonymous Coward | about 2 years ago | (#43079363)

sorry.. but NO.

Interesting technology, needs PR (3, Insightful)

loufoque (1400831) | about 2 years ago | (#43080279)

The technology is interesting. It's fully decentralized, works even on Windows, offers Mac-style drag and drop images, uses a full SAT solver for dependency resolution...

What it needs is better marketing.

Re:Interesting technology, needs PR (0)

Anonymous Coward | about 2 years ago | (#43081611)

This. I'm dissapointed that Ubuntu didn't pick it up. 0install has exactly what makes Windows popular, the ability to just click an url and download a package. Yess you can download deb packages but it doesn't work as seamless as 0install, for starters, the deb package is distro specific.

Re:Interesting technology, needs PR (1)

Yfrwlf (998822) | about 2 years ago | (#43105209)

Right, but Ubuntu and others will never package Zero Install by default unless it started getting wider adoption because of two factors:

1. More apps need to start using it so it gets in higher demand.
2. Ubuntu and others benefit from market fragmentation. By having all the software in their repos which aren't compatible with other distros, that pulls users to their platform just for software access. This is of course contrary to what the free software and ubuntu philosophies are all about.

So for those who actually care about free software and about all users being able to access software, please help out Zero Install since it seems to be leading the rest of the cross-distro packaging solutions in features and momentum.

Worth a try? (1)

kermidge (2221646) | about 2 years ago | (#43081639)

Installs ok, haven't tried it out yet.
Wonder why it needs to remove "python3-aptdaemon.pkcompat" if it says it does its stuff without messing about with a system's libraries, tho.

Re:Worth a try? (1)

tal197 (144614) | about 2 years ago | (#43081917)

I have an idea the .deb package recommends "packagekit". If that conflicts with "python3-aptdaemon.pkcompat", I guess your package manager might offer to remove it. You could try using --no-install-recommends.

If you try to install a program that needs a library that is only available through your distribution, then 0install will offer to install it using PackageKit, if PackageKit is available.

Re:Worth a try? (1)

kermidge (2221646) | about 2 years ago | (#43085765)

Thanks for the info. I am decidedly unsophisticated at this stuff.

Lack of Awareness (0)

Anonymous Coward | about 2 years ago | (#43081777)

Ever heard of InstallAware? Its light years ahead of any other installer.

Re:Lack of Awareness (0)

Anonymous Coward | about 2 years ago | (#43087971)

Really? I see no support in it for anything but Windows, and it seems to have more steps then 0install. What would your definition of 'light years ahead of any other installer' be considering that it appears entirely worse than what this page shows?

Re:Lack of Awareness (0)

Anonymous Coward | about 2 years ago | (#43091585)

Ever heard of InstallAware? Its light years ahead of any other installer.

InstallAware support seems to be unable to react to any problem report with anything other than "you'll have to upgrade to a new version". The scripting is some of the most batshit insane I've ever seen. The GUI is an unholy mess where trying to find the important bits among all the useless crud is an adventure all to its own. It generates an inordinate amount of intermediate files on disk for the project. It has a strange opaque way of handling built-in common dependencies (source of many of those problems answered with "you'll have to upgrade to a new version" instead of a fix).
But yeah, there are one or two things it does better than some other installer generators, like the ability to download dependencies from a server.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?