Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

0install Reaches 2.0

tal197 Re:Worth a try? (61 comments)

I have an idea the .deb package recommends "packagekit". If that conflicts with "python3-aptdaemon.pkcompat", I guess your package manager might offer to remove it. You could try using --no-install-recommends.

If you try to install a program that needs a library that is only available through your distribution, then 0install will offer to install it using PackageKit, if PackageKit is available.

about a year and a half ago
top

0install Reaches 2.0

tal197 Re:Great Ideas Fail All The Time (61 comments)

In order for it to work, the software developer has to not only publish their software on the Zero Install system, they have to publish their software for ALL the distros on it. But, we all know well that most software developers regard this as far too cumbersome an undertaking and will instead publish only a single or couple of binaries.

Of course, that's not an issue for programs written in Python, Ruby, Java, etc.

For C, you can also publish a source version and let the users compile (with 0install handling the build dependencies). Also, if someone wants to set up a build farm for a particular platform, they can use these source packages to create binaries automatically (e.g. for PPC binaries).

Producing separate binaries for different distributions (e.g. Ubuntu and Fedora) isn't necessary; one binary should work everywhere. The exception would be if the distributions compiled the libraries with incompatible options, but that doesn't tend to happen these days. If it does, specify the dependency as distribuion="0install" to force the use of a 0install version rather than the distribution package.

about a year and a half ago
top

0install Reaches 2.0

tal197 Re:What a name (61 comments)

To get the hashes of the latest compatible versions, you could use 0install. e.g. to find the hashes for the dependencies of the SAM program:

$ 0install select http://www.serscis.eu/0install/serscis-access-modeller
- URI: http://www.serscis.eu/0install/serscis-access-modeller
  Version: 0.16-post
  Path: /home/tal/work/serscis-access-modeller/serscis-access-modeller-any-any

  - URI: http://repo.roscidus.com/java/iris
    Version: 0.6.0
    Path: /var/cache/0install.net/implementations/sha1new=daf7bfada93ec758baeef1c714f3239ce0a5a462

  - URI: http://repo.roscidus.com/java/swt
    Version: 3.6.1
    Path: /var/cache/0install.net/implementations/sha1new=bb9479c20f7684b9423be7d76194929e9b6fb690

  - URI: http://repo.roscidus.com/utils/graphviz
    Version: 2.30.1-1
    Path: (package:arch:graphviz:2.30.1-1:x86_64)

  - URI: http://repo.roscidus.com/java/openjdk-jre
    Version: 7.13-2.3.7-2
    Path: (package:arch:jre7-openjdk:7.13-2.3.7-2:x86_64)

(so, on my system, graphviz and the JRE are provided by the system, while IRIS and SWT give the required hashes)

about a year and a half ago
top

Python 3.3.0 Released

tal197 Re:Python 3 and its use (131 comments)

True, but if you use 0install then you can specify the version you want in the metadata, e.g.

    <command name='run' path='myprog.py'>
      <runner interface='http://repo.roscidus.com/python/python'>
        <version not-before='2.6' before='3'/>
      </runner>
    </command>

will select Python 2.6 or 2.7 on Debian, Ubuntu, Fedora, OpenSUSE, Arch, Windows, MacOS X, ... etc.

(example taken from the docs at http://0install.net/local-feeds.html)

about 2 years ago
top

Mozilla Offers Alternative To OpenID

tal197 Re:What is wrong with OpenID? (105 comments)

- It's designed for browser support, which is necessary to prevent phishing attacks and improve ease of use. It's hard for your browser to log in to OpenID sites (e.g. the Firefox OpenID plugin(s) fail on several sites which use fancy login UIs).

Auto-login is always problematic in security terms, even if it is exceptionally convenient.

I don't think anyone is suggesting auto-login (the browser logs the user in without action from the user). The issue is whether the browser can provide a login button in the chrome which, when clicked, allows the browser to handle the rest of the process securely (e.g. not displaying any random phishing site that the web-page tries to send you to). If you need to authenticate, the browser needs to ask for the password in a way that clearly shows it's OK to enter it (e.g. in a clearly-marked popup).

more than 2 years ago
top

Mozilla Offers Alternative To OpenID

tal197 Re:What is wrong with OpenID? (105 comments)

I think the main differences are that it uses email addresses instead of an URL (which people don't "get" as being your identity token)

Once it's ready (supporting primary IdP's), the ID doesn't need to be an email address (just an ID with an email-like structure).

and it doesn't give the authorities full power to access your accounts (since the private key for authentication is stored on the browser).

I don't think so. That key is only accepted because it's signed by your IdP, which can just as easily sign another one if the authorities request it. The main advantages I see are:

- Verifying a login doesn't tell you're IdP who signed in to the site. The site only requests the IdP certificate, not your personal one.

- It's designed for browser support, which is necessary to prevent phishing attacks and improve ease of use. It's hard for your browser to log in to OpenID sites (e.g. the Firefox OpenID plugin(s) fail on several sites which use fancy login UIs).

- Putting more of the logic in the browser simplifies the protocol (although they seem to be adding extra complexities quite fast).

more than 2 years ago
top

Moxie Marlinspike's Solution To the SSL CA Problem

tal197 Convergence vs DNSSEC? (189 comments)

I watched the video, but I still don't understand how convergence is better than putting the certificates in DNS with DNSSEC. He says that DNS registrars are not reliable enough, but from the video it looks like convergence ultimately relies on them anyway. e.g.

If I control the DNS entry for paypal.com then I just change its IP address to point at my server. People using convergence will find my server in DNS, get its (self-signed) certificate and send it to the notaries. The notaries will see that it is different from their cached copy, which will trigger them to check for updates. They'll all go to the (compromised) DNS system, get the new IP address, get the fake certificate and return "OK" to the user. What am I missing?

about 3 years ago
top

Zero Install Project Makes 1.0 Release

tal197 Re:Not sure what the user benefits are (82 comments)

You raise an excellent set of points. So how does 0install fix this?

Firstly, you don't need to find packagers for each distribution. You create one XML file, which allows everyone to run the program.

When the new GCC comes out and breaks your program, you just change the version restriction in your XML:

<requires interface='.../gcc'>
  <version before='4.6'/>

Likewise with the new libpng, and bdb. Other programs will start using the newer versions, but your program will stay with the version that works. You can then work on fixing the bugs and getting a new release out in your own time, without having to rush.

For example, I distribute a lot of Python programs using 0install. They all started "#!/usr/bin/env python". When ArchLinux decided that "python" would now be Python 3, they all broke. But by adding a few lines to my 0install feed, I got them working again:

  <runner interface='http://repo.roscidus.com/python/python'>
    <version before='3'/>
  </runner>

more than 3 years ago
top

Zero Install Project Makes 1.0 Release

tal197 Re:Not sure what the user benefits are (82 comments)

... And if one wants, it can even rely on LSB I believe, eliminating a lot of the need to include copies of base libraries, and a decent starting point (though I can't tell if 0Install allows that, I think ROX application directories do, and this looks like a way to replace them though.

I'm not quite sure what you're asking here, but to be clear:

0install always shares libraries and other dependencies. For example, if your program depends on Java then 0install will use the distribution's version of Java (if installed), or 0install may download a 0install package of Java, or it may get Java from your distribution (using PackageKit). A 0install package should never need to bundle libraries.

On a multi-user system you can enable system-wide sharing. This is off by default because it requires adding a new sudo rule, and adding one automatically would be rude (the admin should be in charge of the sudoers file).

more than 3 years ago
top

Zero Install Project Makes 1.0 Release

tal197 Re:Give me Debian package management any day (82 comments)

In the case of 0install, the command name (if any) is chosen by the user, not the package. So you might do something like this for shell use:

$ 0alias convert-img http://image-editor.org/convert
$ 0alias convert-text http://text-converter.com/convert

If a package depended on one of these, it would express that in its dependencies. e.g.

Make example.com/convert >= 1.3 available to me as 'convert'

0install would ensure that example.com's convert command was in $PATH, but just for the program that needed it.

It's similar with libraries. A library's files are only in scope for programs that depend on that library.

more than 3 years ago
top

Zero Install Project Makes 1.0 Release

tal197 Re:Do not trust. (82 comments)

0install does not touch any files outside of ~/.config/0install.net/ and ~/.cache/0install.net/ by default, and it won't let packages change things at install time either. This is necessary so that it can be used with sandboxes.

The only exceptions are that it will make a configuration change that you request explicitly. For example, if you ask it to add Firefox 4 to your Network menu then it will do that, or if you ask it to add a "firefox4" shell command to run it then it will create a "firefox4" script in your $PATH.

You might be interested in the EBox sandboxing demo (the challenge is to create a package that accesses a user's files without the user's permission).

more than 3 years ago
top

Zero Install Project Makes 1.0 Release

tal197 Re:Give me Debian package management any day (82 comments)

RISC OS application directories and Apple bundles have the nice property that you can install from anywhere, can have multiple versions and there are no conflicts between packages (e.g. both installing a "/usr/bin/convert"). But shared libraries are a pain because you have to install them manually, and upgrading a library needed to install program B can make program A stop working.

Debian packages have the nice property that you get dependency handling and automatic updates, and shared libraries work better. The system automatically installs a library version that works with A and B, if possible, or refuses to install B if there is no such version.

0install combines the best of both systems: you can get software from anywhere, have multiple versions at once and there are no conflicts. But you also get dependency handling, updates and shared libraries. It automatically installs a library version that works with A and B, if possible, or installs two different versions of the library in parallel if not.

more than 3 years ago
top

Zero Install Project Makes 1.0 Release

tal197 Re:Isn't this basically what Java was supposed to (82 comments)

It's perhaps more like Java Web Start in concept, but it works with any language (including Java). There is the 0export tool to create self-extracting bundles, but yes in the normal case it assumes that 0install will already be on the machine.

more than 3 years ago
top

Zero Install Project Makes 1.0 Release

tal197 Re:"Is this the end of the walled gardens..." (82 comments)

What's that? It doesn't run on any of those? Oh dear.

Yes, some platforms are so locked down that they won't let you run 0install. But it has been ported to all the common platforms that allow it (Linux, Unix, Mac OS X, Windows).

more than 3 years ago
top

Python 3.0 To Be Backwards Incompatible

tal197 Re:philosophy (438 comments)

Python source is generally compatible (go another level deeper and you'll find that the .py files are mostly symlinks to a single copy, at least on Debian-type systems).

However, the compiled .pyc files need to be regenerated for each version, which explains the separate directories. The symlinks are a messy hack, resulting from the fact that Python requires the .pyc files to go in the same directory as the corresponding .py files, even though you need multiple .pyc files for each .py file. If Python could cache the .pyc files somewhere else, the mess could go away.

The main problem with Python compatibility is with the C ABI, which varies across different packages, making it impractical to use Python to add scripting to a C program, for example:

http://www.mail-archive.com/python-3000@python.org/msg09051.html

more than 6 years ago

Submissions

top

0install reaches 2.0

tal197 tal197 writes  |  about a year and a half ago

tal197 (144614) writes "Zero Install, the decentralized cross-platform software installation system, announced 0install 2.0 today after 2 years in development. 0install allows authors to publish directly from their own web-sites, while supporting familiar features such as shared libraries, automatic updates, dependency handling and digital signatures. With more than one thousand packages now available, is this finally a viable platform?"
top

0install - The Antidote To App-Stores?

tal197 tal197 writes  |  more than 3 years ago

tal197 writes "Zero Install, the decentralised cross-distribution software installation system, announced 0install 1.0 today, after 8 years in development. 0install allows authors to publish directly from their own web-sites, while supporting familiar features such as shared libraries, automatic updates and digital signatures. The end of the walled-gardens of traditional app-stores and Linux distributions and the beginning of a true "Web of Software"?"
Link to Original Source

Journals

top

ADSL with Linux

tal197 tal197 writes  |  more than 9 years ago Might as well use this journal for rants, I suppose...

I've finally managed get myself set up with ADSL on Linux. I went with Demon, as they've got a decent reputation, and their web page states:

"Host software support for:

  • Windows 98, 98SE, 2000, ME and XP
  • Mac OS 8.6,9 and X
  • Linux

Great! However, after the package arrived, I couldn't help noticing a few obvious differences between the "host software support" for Windows vs Linux:

  • The CD contains Windows drivers for the USB modem. There are no Linux drivers (and you have to mount it with rock-ridge extensions disabled to see anything at all, which wasn't obvious).
  • There are detailed step-by-step instructions showing how to set it up on Windows. Linux isn't mentioned on the printed copy, and the CD version contains a single line, telling you to download drivers from the 'net (How? I don't have drivers for my modem!! Didn't anyone spot this little problem when they wrote the instructions?)
  • When I phoned up for support and said I was installing on Linux, the response was "Ha! Good luck!". Not what you want to hear. I pointed out that Linux is one of their supported systems but apparently "We don't have any training for that."

The problem was that the CHAP authentication was failing (I'd downloaded some drivers from sourceforge via my mobile phone's irDA port - painfully slow, but it worked). The helpdesk chap was friendly, but didn't seem able to suggest anything.

I got fed up and bought myself an ADSL modem router. Exactly the same problem. But this time when I phoned up and said I had a router, they suddenly had a whole load of useful test addresses to try which quickly narrowed the problem down to BT's exchange. Grr. BT fixed it after a couple of days, and it's all been fine since, but I think describing Linux as supported is really stretching things!

top

Zero Install

tal197 tal197 writes  |  more than 10 years ago

The GnuCash installation instructions warn non-programmers against even trying to install it. The word "nightmare" is used. Yet, the process should be quite simple: if the project was distributed using Zero Install then users could safely fetch and run it, with all its required dependencies, using a single command.

Zero Install is a fundamentally different way to access software. Instead of copying software from the web onto our computers, we cache it. It's a faster, easier to understand, and safer way to get software, suitable for both broadband and dial-up users.

Oddly, though, most people seem to ignore it. Why? Please add comments... I'd like to know how to present it better! A typical conversation goes like this:

  • Them: How do I install <foo>?
  • Me: Are you using Zero Install?
  • Them: No. What's that?
  • Me: It removes the need to install software. It uses a cache to allow running software directly from the author's machines.
  • Them: Sounds like a bad idea...
  • Me: Why?
  • Them: Err... insecure?
  • Me: Nothing runs as root, or as any privileged user. So you're running the same code as normal, but without the additional worries of an installation script.
  • Them: Err...slow?
  • Me: Since data is only downloaded when it's needed, there's less to download in total so it's actually faster. Once cached, it's at least as fast as normally-installed software; sometimes faster since there are no search paths.
  • Them: Oh. Still sounds like a bad idea.
  • Me: Why?
  • Them: Don't know...

After trying it for a few minutes, they're usually converted though. But what gives the bad initial impression?

Web site: Zero Install

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>