Linked by Thomas Leonard on Tue 16th Jan 2007 00:32 UTC
General Development In the Free and Open Source communities we are proud of our 'bazaar' model, where anyone can join in by setting up a project and publishing their programs. Users are free to pick and choose whatever software they want... provided they're happy to compile from source, resolve dependencies manually and give up automatic security and feature updates. In this essay, I introduce 'decentralised' installation systems, such as Autopackage and Zero Install, which aim to provide these missing features.
Permalink for comment 202127
To read all comments associated with this story, please click here.
Great article, but...
by Moochman on Tue 16th Jan 2007 12:10 UTC
Moochman
Member since:
2005-07-06

This article was really well thought-out and delivered--it's not just some publicity piece. It's clear that the developer/author has taken a lot of time to think about installation and use cases, and is making the next generation of Linux installation technologies a reality. I especially like the idea that different versions of libraries should be matched to different versions of programs, albeit without the needlessly inefficient app-folder method. I wish the author the best of luck, and hope that Zero Install catches on!

However, one flaw I see in your implementation is the cryptographically-derived naming of folders. In the beginning of the article, you point out that non-hash-derived identifyers are much more easily user-readable, yet later on you claim that end-user "Alice" will be willing to go to the Gimp homepage, look up the appropriate hash and compare it to hash-name of the folder that "Bob" installed on the hard drive. Yeah, right! Not only does that sound like the exact opposite of the user-friendly goals you set out with, but it's also incredibly insecure to assume user vigilance as a means of security! All the hash-naming of folders would serve to do is make the end user more confused.

Likewise, the certificate verification dialogue box doesn't seem too user-comprehensible or foolproof--especially considering that the user is told the database is "Unreliable"! A whiteboarding system (either independent or distro-specific) would be much more reliable, but of course then the sytem is practically as centralized as was supposed to be avoided!

It seems as though achieving ease-of-use, decentralization, and security all at once really is an elusive goal...

Reply Score: 3