D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Grism.org

 

On Fri, 11 Dec 2009 20:36:28 +0000
Rob Beard <rob@xxxxxxxxxxxxx> wrote:

> Neil Williams wrote:
> > On Fri, 11 Dec 2009 20:17:26 +0000
> > Rob Beard <rob@xxxxxxxxxxxxx> wrote:
> >
> >   
> >> Okay, what you need to do is go to the Grism web site, select the 
> >> Download option and then click on:
> >>
> >> grism_0.9.0-1_all.deb
> >>     
> >
> > Please don't do that.
> >
> > Random .debs from random websites are as dangerous as any virus in
> > windows and will likely cause long term havoc in your wider
> > installation, including blocking future updates and upgrades, even
> > security ones.
> >
> >   
> The other option I guess is he could compile from source.  It doesn't 
> appear to be in the Ubuntu repositories, at least not in the main 
> repositories.

Yes, that's true. It also means that should the package start to get in
the way, you can rebuild the package. Hopefully, updating the
build-deps will allow the package to be updated and installed, freeing
the rest of the upgrade to proceed.

Building from source isn't trivial but, once again, security is the
enemy of convenience.

It is convenient to download a pre-built .deb but it is not only
insecure, it is a positive hindrance to normal upgrade behaviour across
the rest of the distribution.

The only real answer is to get someone to package it properly for
Debian and therefore Ubuntu. If upstream don't have time to fully
engage with Debian (and many don't), then they should be persuaded not
to add to user's problems by offering a poor quality hack posing as
a .deb file.

The same goes for RPM's - a while ago I investigated offering .rpm for
packages that I maintain upstream (because I upload the .deb to Debian
directly). After conversations with actual Fedora users, I was
persuaded that this was a VERY bad idea, extremely unhelpful to
potential users and an invitation to make a lot of unnecessary work for
myself.

Packaging is not trivial - it can be a lot of work. This has several
consequences:

1. Distributions work and can be fixed
2. Packaging for a distribution means keeping up to date with that
distro
3. Packaging requires work and commitment
4. Any method that circumvents that work means that your distribution
can fail to work and cannot be fixed.

(There have been instances where downloaded .debs cannot be removed,
cannot be purged, cannot be reinstalled, cannot be configured, cannot
be fixed without extreme amounts of hassle.)

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.linux.codehelp.co.uk/
http://e-mail.is-not-s.ms/

Attachment: pgpdfqnXoVVJq.pgp
Description: PGP signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html