Is it time to consider SBo binary packages?
 

Hi all, Ill try not to be long winded.

Please don't rip me a new one, I am well aware of Slackware and SBo policies, I am just thinking out loud here and I almost always try to stay away from "Politics of Slackware or Linux posts" and I will ALWAYS trust the judgement of Pat and the core team.

Like a lot of of people who have used Slackware for years I remember the days of compiling software manually or using Checkinstall, src2pkg, rpm2tgz, or if you wanted to be brave www.linuxpackages.net. There were a lot of different options if you knew where too look, but this also could easily affect the integrity of Slackware's reputation for stability due to lack of know exactly where and how a package was created. Fast forward to today where we have Alien Bob, Robby, Willy, Pounce, slacky.eu, SBo and amazing tools like sbopkg, sbotools, slackpkg+, etc that work with those repositories, we basically now have dependency resolution and automation for installing quality approved packages. Even with that every single time I talk to a Linux user about Slackware, no matter how they word it, it always boils down to lack of binary packages and their apprehension of a source based solution. Is it time to at least consider SBo binary packages to attract more users? With SBo you have the SlackBuild, the person who made it, core team member approval, basically you have peace of mind. I would still compile from source but I would easily trust a SBo binary.

In closing I just want to say that I will always compile my software from source. To me it gives you an extra benefit of knowing your system is working the way it should and being able to tweak things if you need to. I also firmly believe in the old saying "If it ain't broke don't fix it" and binary packages could lead to WAY more problems than solutions and I don't want to see anything compromise Slackware's reputation. My only reason for even thinking about this is I truly think that if Slackware started offering binary SBo packages it would attract a significant amount of new users which would hopefully correlate to more money for Pat which would keep Slackware alive any healthy for years and years to come.

Opinions?

there's the SlackOnly repo

https://packages.slackonly.com/pub/packages/

enjoy

here's my reasoning for using it:

https://slackalaxy.wordpress.com/201...arty-packages/

I don't know. I think if those users are hung up on compiling something from source that already has an automatic and well-tested build script, there are probably a lot of other things in Slackware that they will be hung up on too. I say let them use their Ubuntu if that's the kind of distro they want.

From a practical standpoint, I don't know if the manpower exists to do all that work and quality control. In any case, I don't think it's worth it. I'd rather have our dedicated SBo admins and contributors doing more worthwhile things.

IMHO, a binary package repo should be separate from SBo. Part of the reason is that SBo gives you good flexibility in optional dependencies and build options, both of which a binary package repo would need to handle differently.

I assume those people don't care for Gentoo, either.

That's actually pretty cool. Didn't know that existed. Like I mentioned I will still use SBo, but that seems pretty polished and it works with slackpkg+. And I agree with dugan, when you think about how many SlackBuilds have switches and options it does make sense to keep the repos separate.

People who choose Slackware want to use the distribution; I don't think they need to be coaxed into using Slackware. Having said that I don't see anything wrong with the idea of SBo binary packages. It is an ambitious project; it sounds like a lot of work.

Salix is an excellent option for all those who don't want to build all the extra stuff. Their binary repo is quite impressive, and slapt-get handles dependencies just fine. This being said, all the other control freaks out there like myself will always prefer Slackware.

Yeah, and who is supposed to do all that work? Also consider that this will cost money, not just labor. SlackBuild scripts have negligible filesizes but downloading a Slackware package requires bandwidth. And hundreds of users downloading hundreds of packages require loads of bandidth, a reliable server and a lot of storage.

If you would want to start such a project you would try to minimize the amount of manual intervention or you will go crazy. Some CI tool like Jenkins could be setup to use the SBO git repository as a source and (re)build a package when its SlackBuild entry gets an update in the git repository. That would make it almost fully automatic, plus it will catch any issue the SBo admin team might have missed during their QA testing.

Adequately powered server and unimited bandwidth would have to be provided by real hardware, like a DediBox of 16 GB RAM and 1 TB harddisk, at 16 Euro per month pre-tax: https://www.online.net/en/dedicated-server/dedibox-xc - but those monthly fees would have to be covered.

If you look at slackonly.com, they already provide all these packages. The question is: how do you build a web of trust? I do not know Panagiotis Nikolaou. Would I install his packages? Probably not. Would I install his packages if he was a well-known member of the community with enough credibility? Perhaps yes.

Like most big Slackware contributors, Panagiotis Nikolaou made slackonly repository for his personal needs (and some close friends') about 2 years ago.
He then, generously, opened it for the community.
Me, and a growing number of slackware users, have it configured on our slackpkg+ setup.

How long would it take for him to be credible in the eyes of a core team member such as yourself?
I'm just curious. Like I said, I already use it... but I wonder why it is not more widely used.
Is it just a credibility issue? Does it need more advertising, since some people are surprised that it already exists?

It ain't broke.

Don't fix it.

Cloud hosts also charge for CPU usage.

So, how do you build a web of trust?

That's a technical question. The answer is crytographic signatures.

Indeed.

That is only part of th story of course.
You first have to know the persons who are cryptographically signing their packages before you can come to trust them and their signatures.

Someone already does the work and pays the bills;-)

So, all it takes is for someone that knows Panagiotis Nikolaou, and is known to someone that is known to someone... that is known to a trusted person, sing his key?

No of course not.

The important thing is that people must trust the packages, not the signatures.
People will not install random packages created by someone unknown, therefore it is important that the packager participates in the community, so that the potential users of his packages get to know him and can interact with him. Then, if enough trust has been created, people will start using his packages.
Signing the packages is optional and the fact that a package was signed has nothing to do with the quality of the package (i.e. does it work on my Slackware; does it not mess up the permissions of system directories; does it not overwrite system livraries; etc...).

A gpg signature serves only one purpose: to verify that the package you just downloaded and want to install was signed by someone you trust, so that you can be reasonably sure that it does not contain viruses, spyware or malware.

Exactly. I'll install pre-built packages from a few trusted sources: you and Robby. That's it. I won't install software that is from an unknown source.

IMHO, no. Back a decade ago or so when I was new to linux, I quickly left ubuntu. Slackware was one that I was interested in, but at the time was to much out of the league for me. So I went to salix which was perfectly suited for what you are asking. After bouncing awhile and LFS,arch, gentoo/funtoo later I came to realize Slackware is what I wanted. I like it the way it is and wish that what your are asking about never happens:p

No. Compiling from slackbuilds is a ducking joke in that it is so fucking easy, I practically just have to run the ./SLACKBUILD and I am good to go. It's almost the same as just typing in the command to install the package except there is more wait time. You also have to remember that slackbuilds is not part of Slackware, it's a project done by separate people. I would be less inclined to use it if it only offered pre-compiled binaries as I would have no clue what they did to them. Currently the source packages are hosted on their original sites (and if not I download it from original) and I can see the slackbuild go see what goes on.

Also, it's a lot of work to push out pre-compiled packages and you lose the option of changing certain options that you get with compiling, like for qemu or libvirt, the user for it to use.

I admit, I've never met Panagiotis in person. However, I have exchanged many emails with him and he seems like a really nice and dedicated guy. On the other hand, you LQ users, do not know me, therefore following the above logic, you cannot come to trust my words either.

So again, how does one earn the trust of the community here? How is one supposed to do that? I am not starting a fight, I am really asking (second time). AlienBob, have you tried and inspected any of the SlackOnly packages? Or you just blatantly state that you would probably not trust them? And this is supposed to imply what?

Wouldn't work for me.

I use SlackBuilds (my own and ones on SlackBuilds.org) because I prefer, and very often need, specific options compiled into my software. That's one of the many reasons I use Slackware: it makes this easy.

There are some packages I'm fine using a binary for (from trusted sources) but most of even those packages are pretty trivial to just build for myself, eliminating any perceived advantage to having a binary download. Common exceptions are KDE (I don't feel a need to ever compile that myself, so I'm happy to use Ktown), VLC, and probably a few others. I may find one or two things from slackonly now that I know it exists. But generally, I'm happy to compile the extraneous stuff, and simply must build the tools I rely on for a living because nobody else builds them right for me.

I have met some people irl. That doesn't mean I trust them.

I generally tend to trust people based on experiences I have with them. Maybe I converse with them over IRC or in a forum. They seem rational and legitimately interested in open source, and like a good person, then I start to trust them. At that point, I start to trust software they send me out of the blue, or else I don't fully trust them but I'm curious enough to try software in a VM or something, where I can evaluate it.

Trust develops over time, as a mixture of interpersonal experience. Lacking that, one falls back on the experiences of other people one trusts.

Me too. He's clearly contributed a lot of personal time, and (considering storage and bandwidth costs) personal money, into providing this resource for the community.

I've never met you in person. However, I have exchanged many emails with you, and you seem like a really nice and dedicated guy :p

The community is not monolithic. Some people will download anything, some people will download nothing. But most of us are in-between. We're happy to wait and see whether bad things happen to the people who will download anything ;)

Tell that to all the people in the forum with dependency problems after installing random stuff from pkgs.org ;)

But overall, I agree with what many have said. It is hard to gain trust from someone until you have consistent interaction with them. There's members on this forum, based on my interactions with them, that I would trust with building packages. Many won't give their free time helping out all sorts of new users and diagnosing problems veteran users are having (and everyone in between) if they have malicious intent towards users, and if they do, you can generally notice it relatively quick.

I have a hard time believing that Panagiotis puts in his time and money into this (especially without advertising it) with malcontent in his heart. I'm sure it's not an easy thing to do and it takes a good chunk of time to square away the repos. However, I have never interacted with him, so I can't determine my trust for him. Eric and Robby are easy to trust. If Pat trusts them, there's no reason we shouldn't, but even then, both interact with us on the forum.

But as Altris and notKlaatu (and probably others) have mentioned, I prefer to compile things myself for the options that I'm provided. A lot of the software I use have optional dependencies that I may want to use, while others have optional dependencies that I don't want. It is nice for me to be able to build software that meets my expectations with no more or less fluff than I desire. There are only a few packages I'll grab from Eric, mainly qt5 and openjdk, just because my computer is slow and I don't want to wait for those to build.

I generally don't like pre compiled binaries especially if the source is not available. I've seen too many instances where the source needs a bit of touch up or customization for my purposes. Nvidia drivers and adobe flash suck for this reason.

I have to say that those who have issue with the delay that compile time takes versus the instant gratification of installing a binary... Those ppl need to install Umbuntu.

SlackBUILDS dot org (notice "builds" in bold caps)

One might see the benefit of attracting more ppl to the cause, but what kind of people do you want to attract? Those that are fearful of using a computer to do repetitive, recursive compilation ? Or those ppl who are too lazy to type a few commands on a keyboard?

One bad thing about binary packages is dependencies. Each dependency update must be tested, and that list can get considerably long. Like AlienBob said, who will do all the work?

Debian, for example, host thousands of packages, but they all have to be maintained.

By keeping SBo as a source built system, it cuts down on personnel needs, hosting, costs, etc. Many of the from-source or power user distributions operate on small budgets with a few people. Some like Slackware, BLFS, CRUX, etc. all operate on what amounts to a shoestring budget.

With a rare exception, I have not met anybody I interact with on this LQ furum in real life. Nor have I met Pat in real life. If you interact with someone face-to-face you will be able to use all the nonverbal interaction to build a more complete picture of the other person. It will teach you more about the person's character than when you interact purely using asynchronous means of communication like this forum or email.

So how do I get to trust people's work if I never met them? It builds up over time. In the case of Pat and other well-known people it's their reputation that preceeds them. For 'ordinary' people that you see on this forum every day, it is their postings and interactions with other people (not just me) that paints a better picture of who they are. If I want to know more about something that was created by someone else in this community (a script, a package, a tool) I download and dissect it. I will get an idea of the quality of his work, which is the base for building trust. We do the same at SlackBuilds.org ('we' when I was still participating in the admin team but things have not changed there of course after I retired).

Trustlevels also build up when other people (with a good reputation) speak highly of someone I do not know. If many people use the slackonly packages and are happy with it, that speaks in favor of those packages and their packager.

But I still like it better when I have a good picture of someone whose packages I use. That someone does not have to be participating in this community at LQ of course - if Panagiotis is greek he will probably be spending a lot of time on greek forums instead. But then I will not get to know him, and ultimately that means I am less inclined to use his stuff. Same is true for slacky.eu, the package repository of the italian community. That too is a separate group of people, who interact in a language I do not understand, so I will not easily use their stuff.

I do not imply anything, and your last sentence has a suggestive tone I do not like. See how this works? it's like a ladder and you just dropped a few rungs.

Bottom line, you start with participating in a community, and when people get to know your online persona you will be able to build the credibility which you need to earn the trust of the community. When you yourself are not participating in a community and still want to be seen as trustworthy then you need proxies: people in that community who themselves are respected and have credibility, and who will vouch for your trustworthiness.

But as I am the untrusting kind, I will nevertheless still dissect your stuff and form my own opinion of the quality of your work :-)

In the time I've spent working on other distros, it doesn't matter their build environment, or that they sign their packages. There are certain maintainers that create sucky binary packages. It quickly ruins my trust of a distro, even when said maintainer just works on a few packages, since they let that person in. Eric is right, it always ends up having to trust the person on quality.

So I now know to avoid this community maintained distro rage, even more so now, even when it's not something I ever really had to spend much time in. This is coming from someone used to the quality of slackware for 15 years now :)

In SBo, you can't necessarily prevent poor choices in packaging, but at least the packaging is one step moved back in the process from failing you. Now you get to decided your fate :) So to go an SBo-like community binary package delivery program seems a bit unnecessary, and contrary to its goals.

There are still plenty of people that provide packages in Slackware? Do we need another one?

A person can earn trust and not be trustworthy. It could all be apart of some master plan to compromise people's systems.

I bet Panagiotis' stuff is fine. I like the current Slackbuilds setup. If a binary file is suspect then the original source could be suspect as well. I doubt people are reviewing the source of every program/lib out there. People don't have a chance to review the code of commercial software that installs all kinds of stuff to protect itself and phones home daily.

There are already things like palemoon and rar in SBo that link to binary packages instead of source.
Should be separated and tagged SlackRepack instead of SlackBuild as they appear to build something, but aren't building anything.

No.

I see now that my response sounds quite abrupt, something that I did not really intent. I rarely seek confrontation, and I do apologize if my reply sounded a bit off. However, I have to point out that I am not affiliated with SlackOnly. I simply happen to like the idea of having packages prepared from SBo, as an alternative to what SBo offers. If there's anything I have done for Slackware, that's the collection of SlackBuild scripts that I maintain at SBo.

Yes I do. I made a comment you did not like and therefore the quality of my SlackBuilds suddenly dropped a few rungs?

I have to admit, I begin to feel tired by the stubbornness I see in this community. It boils down to the following: someone wants to provide a packaged alternative to SBo. Why would anyone actively be against that?

Nobody that I have seen in this thread is actively against it. That is, no-one has taken action against it. That is what "actively against it" would mean.

Most people here appreciate precise language, and are offput by subtle innuendo or emotional appeal.
The Parent poster Daedra asked for opinions and opinions were offered. That's all that's going on here. Why not let SBo do its thing, and let SlackOnly do its thing and slacky.eu and the others do their thing, and not worry about it!?!
The thing that bothers me is somebody coming along (not you per se!) stating that some group or other should change the way they do things such as SBo start to offer binaries in the main. Not only is it an affront to the wonderful and generous work the SBo people do, but it speaks very ill IMHO in regards to those asking for that change. It speaks of an intrinsic selfishness which IMHO is the main problem we humans have on this planet!

I don't think the question actually was "can the SBo team start providing binary packages". The wonderful thing about compartmentalization is that another team can build a piece of infrastructure (binary package repository) on top of a lower-level piece (SBo scripts). The SBo team does not have to be involved in this at all. Exactly like slackonly.com is doing in fact.
Having both allows some people to use just the SBo scripts (because they do not trust a foreign repository or like compiling better for whatever reason) while others will happily use the binary package repository because it is convenient. If you trust the person or team who provides packages, then there is nothing to fuss about, you just use those packages.

I did not say or imply that I do not trust the team behind slackonly.com. The kind of trust I was talking about when I mentioned "web of trust" is not only trust in the benevolence of the team (are they secretly injecting malicious code or not) but also a trust in the quality of the packages (will they break my computer when I install them) and in the consistency of the team (will they still be providing an up to date package repository in one year from now). Building that web of trust will allows one to make a decision about use/skip quickly.

So I would never be against such a repository, why should I? Some people will profit from having it available. And if someone is willing to spend time, money and resources to build and maintain such a repository for the community to use, that can only be applauded. It is irrelevant whether I would actually use those packages, as long as you trust these guys.

Solarfields, my example was not implying that I would suddenly have less trust in your packages. It was an example of how interactions contribute to building trust. But... when someone says something I don't like then that does not mean the statement was false or incorrect, it's just me that took offense. I might find you a less likable guy perhaps, but it would not change the respect that I would have for your work.

I may not have written such a coherent post, but it is late and I am tired.

Not only No! but Hell No! Think about it.... then ask yourself "to what advantage and at what cost?" The only advantage OP noted was "more people" but really what that means is "more lazy, ignorant people". If you doubt this check out even fundamental questions asked on Mate, Ubuntu, etc. It's like the blind leading the blind. Slackware attracts people who are serious about the nuts and bolts. Why diminish that by appealing to lowest common denominator and become yet another "also ran"?

I can't agree with that, at least not the way you stated it. There are lots of very knowledgeable people using Ubuntu, Mint, etc. Heck, Linus Torvalds uses Fedora, which is in the same category. Is he one of the blind? You're right that Slackware attracts people who are interested in the nuts and bolts, but that doesn't mean there aren't plenty of Ubuntu users who are also interested in the same. The beauty of open source software is that there is a choice to suit everyone. In the end, people should was whatever suits them and not worry so much about the choices of other people.

(However, I believe it is appropriate to judge the choices of those who control the distributions and major projects, and I disagree with pretty much every significant decision Canonical has made since I started using Linux 5 years ago. But I digress -- I'm getting too far off-topic.)

Sorry, but when was the last time Linus was answering a newbie's question on some help forum? While I agree with you in general, this example is just bullshit until you can find plenty of postings like that from the last 10 years.

There are certainly plenty of knowledgeable people on the forums of those distributions helping newbies out, just like there is here, so enorbet's worries seem to me to be worrying about absolutely nothing. Plus, the newbies that get helped will eventually learn enough not to be "blind", as he called them.

If you add a "Download package" button you'll need to add an even bigger "Download package and all dependencies" button

Maybe even modify installpkg that so that giving it a package name also makes it hunt for dependencies or in lieu of that just make it try to install anything that looks vaguely package-ish

Slightly tongue in cheek but there's only so far you can take the hand-holding.

You missed the point of the example. I didn't mean that Linus is helping newbies on the forums, just that he is an example of someone who is not lazy and ignorant and yet is attracted to that kind of distro.

If that was the point of your example it was even more irrelevant to the comment you were addressing. The comment by enorbet was going on about the blind leading the blind, and the only salient reply to that is that there are in fact non-blind people leading as well.

Sorry for being blunt; I really do agree with you, but your point wasn't pointing in the right direction :P

I think that statement is a little silly, I use slackpkg+ to grab packages from AlienBob & Ponce all the time (Thank you Guys!), It may make me lazy but I don't think Ignorant. I can roll my own packages but quite frankly I don't want to waste my time when there are other kind and more experienced people that do it. I think the community would be enhanced by attracting the less experienced users. Hell I have learned a lot about Slackware from reading about someone's "dumb/ignorant" mistake, including my own ;) . Unfortunately Slackware scares a few people because it doesn't have "auto" dependency resolution, which is just because people just don't understand that with Slackware you don't really need it!


So I say IMHO SBO keep up the good work and if there is anyone willing to build all those packages please do so.

I gathered that the main point of enorbet's post was that Ubuntu attracts lazy, ignorant people, and the blind leading the blind on the forums (according to him, of course) was his way of proving it. But you're right -- we agree and there's not much point arguing over this detail. :)

Options and optional dependencies.

How do you handle that? Multiple prebuilt packages each with a different combination of the options?

Or is every package a kitchen sink package with all the options turned on?

Isn't simpler just to point those that want things made beginner/lazy/idiot-friendly at Salix and get-slapt?

Slackonly is the worthwhile option for those who don't have capable hardware to compile everything. Also, I have to use it because some sources are not available for me due to your country politics my friend (yes, GPL is utter BS in real world).
I can't talk about infected source codes as I don't have enough knowledge to look at source of every single package which I install. But, Putting aside all that ethical definitions about trust, I didn't notice any issue regarding package performance as same as SBo counterparts.
Slackonly is another third party repo which gives more option to Slackware users. I don't encourage anyone to use it over Slackware maintainers repositories. For me it has lower priority than Alien, Roby and SBo. But, having more option attract more people and all of them are not lazy.

Just wanted to chime in here. :twocents:

The beauty of SlackBuilds is one can add programs in the same manner that PV builds the OS we use and love. Programs can be tailored like a fine suit to fit each individuals needs, since most may have realized that the one size fits all---fits no-one well. SlackBuilds was officially endorsed by PV in an LQ thread not too long ago, saying that he was never asked to do so before. ;)

As Alien stated if someone wants to create or host third party binary packages then have at it :hattip: , post the link on the forum like people have done with different "package managers", but don't expect it to be official or even endorsed (ok, I took the liberty to paraphrase and interpret his posts). If you read his prior posts in this thread he actually gave you tips on how to build trust so users will want to or consider using those binary packages.

You see, those who use Alien, Robby's, Willy's packages etc... is because they are part of the Slack team, the inner circle so their packages are viewed as similar to in quality and trust as PV's, built with the same care and methodology, perhaps containing the same essence of Slack. ;)

Not sure PV uses Sourcery for that purpose.

Where in my post did it mention "Sourcery"?