Is it time to consider SBo binary packages?
Hi all, Ill try not to be long winded.
Please don't rip me a new one, I am well aware of Slackware and SBo policies, I am just thinking out loud here and I almost always try to stay away from "Politics of Slackware or Linux posts" and I will ALWAYS trust the judgement of Pat and the core team. Like a lot of of people who have used Slackware for years I remember the days of compiling software manually or using Checkinstall, src2pkg, rpm2tgz, or if you wanted to be brave www.linuxpackages.net. There were a lot of different options if you knew where too look, but this also could easily affect the integrity of Slackware's reputation for stability due to lack of know exactly where and how a package was created. Fast forward to today where we have Alien Bob, Robby, Willy, Pounce, slacky.eu, SBo and amazing tools like sbopkg, sbotools, slackpkg+, etc that work with those repositories, we basically now have dependency resolution and automation for installing quality approved packages. Even with that every single time I talk to a Linux user about Slackware, no matter how they word it, it always boils down to lack of binary packages and their apprehension of a source based solution. Is it time to at least consider SBo binary packages to attract more users? With SBo you have the SlackBuild, the person who made it, core team member approval, basically you have peace of mind. I would still compile from source but I would easily trust a SBo binary. In closing I just want to say that I will always compile my software from source. To me it gives you an extra benefit of knowing your system is working the way it should and being able to tweak things if you need to. I also firmly believe in the old saying "If it ain't broke don't fix it" and binary packages could lead to WAY more problems than solutions and I don't want to see anything compromise Slackware's reputation. My only reason for even thinking about this is I truly think that if Slackware started offering binary SBo packages it would attract a significant amount of new users which would hopefully correlate to more money for Pat which would keep Slackware alive any healthy for years and years to come. Opinions? |
there's the SlackOnly repo
https://packages.slackonly.com/pub/packages/ enjoy here's my reasoning for using it: https://slackalaxy.wordpress.com/201...arty-packages/ |
I don't know. I think if those users are hung up on compiling something from source that already has an automatic and well-tested build script, there are probably a lot of other things in Slackware that they will be hung up on too. I say let them use their Ubuntu if that's the kind of distro they want.
From a practical standpoint, I don't know if the manpower exists to do all that work and quality control. In any case, I don't think it's worth it. I'd rather have our dedicated SBo admins and contributors doing more worthwhile things. |
IMHO, a binary package repo should be separate from SBo. Part of the reason is that SBo gives you good flexibility in optional dependencies and build options, both of which a binary package repo would need to handle differently.
|
I assume those people don't care for Gentoo, either.
|
Quote:
|
Quote:
|
Salix is an excellent option for all those who don't want to build all the extra stuff. Their binary repo is quite impressive, and slapt-get handles dependencies just fine. This being said, all the other control freaks out there like myself will always prefer Slackware.
|
Quote:
If you would want to start such a project you would try to minimize the amount of manual intervention or you will go crazy. Some CI tool like Jenkins could be setup to use the SBO git repository as a source and (re)build a package when its SlackBuild entry gets an update in the git repository. That would make it almost fully automatic, plus it will catch any issue the SBo admin team might have missed during their QA testing. Adequately powered server and unimited bandwidth would have to be provided by real hardware, like a DediBox of 16 GB RAM and 1 TB harddisk, at 16 Euro per month pre-tax: https://www.online.net/en/dedicated-server/dedibox-xc - but those monthly fees would have to be covered. If you look at slackonly.com, they already provide all these packages. The question is: how do you build a web of trust? I do not know Panagiotis Nikolaou. Would I install his packages? Probably not. Would I install his packages if he was a well-known member of the community with enough credibility? Perhaps yes. |
Quote:
He then, generously, opened it for the community. Me, and a growing number of slackware users, have it configured on our slackpkg+ setup. How long would it take for him to be credible in the eyes of a core team member such as yourself? I'm just curious. Like I said, I already use it... but I wonder why it is not more widely used. Is it just a credibility issue? Does it need more advertising, since some people are surprised that it already exists? |
It ain't broke.
Don't fix it. |
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Quote:
You first have to know the persons who are cryptographically signing their packages before you can come to trust them and their signatures. |
Quote:
|
Quote:
|
Quote:
The important thing is that people must trust the packages, not the signatures. People will not install random packages created by someone unknown, therefore it is important that the packager participates in the community, so that the potential users of his packages get to know him and can interact with him. Then, if enough trust has been created, people will start using his packages. Signing the packages is optional and the fact that a package was signed has nothing to do with the quality of the package (i.e. does it work on my Slackware; does it not mess up the permissions of system directories; does it not overwrite system livraries; etc...). A gpg signature serves only one purpose: to verify that the package you just downloaded and want to install was signed by someone you trust, so that you can be reasonably sure that it does not contain viruses, spyware or malware. |
Quote:
|
Quote:
|
No. Compiling from slackbuilds is a ducking joke in that it is so fucking easy, I practically just have to run the ./SLACKBUILD and I am good to go. It's almost the same as just typing in the command to install the package except there is more wait time. You also have to remember that slackbuilds is not part of Slackware, it's a project done by separate people. I would be less inclined to use it if it only offered pre-compiled binaries as I would have no clue what they did to them. Currently the source packages are hosted on their original sites (and if not I download it from original) and I can see the slackbuild go see what goes on.
Also, it's a lot of work to push out pre-compiled packages and you lose the option of changing certain options that you get with compiling, like for qemu or libvirt, the user for it to use. |
Quote:
So again, how does one earn the trust of the community here? How is one supposed to do that? I am not starting a fight, I am really asking (second time). AlienBob, have you tried and inspected any of the SlackOnly packages? Or you just blatantly state that you would probably not trust them? And this is supposed to imply what? |
Wouldn't work for me.
I use SlackBuilds (my own and ones on SlackBuilds.org) because I prefer, and very often need, specific options compiled into my software. That's one of the many reasons I use Slackware: it makes this easy. There are some packages I'm fine using a binary for (from trusted sources) but most of even those packages are pretty trivial to just build for myself, eliminating any perceived advantage to having a binary download. Common exceptions are KDE (I don't feel a need to ever compile that myself, so I'm happy to use Ktown), VLC, and probably a few others. I may find one or two things from slackonly now that I know it exists. But generally, I'm happy to compile the extraneous stuff, and simply must build the tools I rely on for a living because nobody else builds them right for me. |
Quote:
I generally tend to trust people based on experiences I have with them. Maybe I converse with them over IRC or in a forum. They seem rational and legitimately interested in open source, and like a good person, then I start to trust them. At that point, I start to trust software they send me out of the blue, or else I don't fully trust them but I'm curious enough to try software in a VM or something, where I can evaluate it. Trust develops over time, as a mixture of interpersonal experience. Lacking that, one falls back on the experiences of other people one trusts. |
Quote:
Quote:
Quote:
|
Quote:
But overall, I agree with what many have said. It is hard to gain trust from someone until you have consistent interaction with them. There's members on this forum, based on my interactions with them, that I would trust with building packages. Many won't give their free time helping out all sorts of new users and diagnosing problems veteran users are having (and everyone in between) if they have malicious intent towards users, and if they do, you can generally notice it relatively quick. I have a hard time believing that Panagiotis puts in his time and money into this (especially without advertising it) with malcontent in his heart. I'm sure it's not an easy thing to do and it takes a good chunk of time to square away the repos. However, I have never interacted with him, so I can't determine my trust for him. Eric and Robby are easy to trust. If Pat trusts them, there's no reason we shouldn't, but even then, both interact with us on the forum. But as Altris and notKlaatu (and probably others) have mentioned, I prefer to compile things myself for the options that I'm provided. A lot of the software I use have optional dependencies that I may want to use, while others have optional dependencies that I don't want. It is nice for me to be able to build software that meets my expectations with no more or less fluff than I desire. There are only a few packages I'll grab from Eric, mainly qt5 and openjdk, just because my computer is slow and I don't want to wait for those to build. |
I generally don't like pre compiled binaries especially if the source is not available. I've seen too many instances where the source needs a bit of touch up or customization for my purposes. Nvidia drivers and adobe flash suck for this reason.
I have to say that those who have issue with the delay that compile time takes versus the instant gratification of installing a binary... Those ppl need to install Umbuntu. SlackBUILDS dot org (notice "builds" in bold caps) One might see the benefit of attracting more ppl to the cause, but what kind of people do you want to attract? Those that are fearful of using a computer to do repetitive, recursive compilation ? Or those ppl who are too lazy to type a few commands on a keyboard? |
One bad thing about binary packages is dependencies. Each dependency update must be tested, and that list can get considerably long. Like AlienBob said, who will do all the work?
Debian, for example, host thousands of packages, but they all have to be maintained. By keeping SBo as a source built system, it cuts down on personnel needs, hosting, costs, etc. Many of the from-source or power user distributions operate on small budgets with a few people. Some like Slackware, BLFS, CRUX, etc. all operate on what amounts to a shoestring budget. |
Quote:
So how do I get to trust people's work if I never met them? It builds up over time. In the case of Pat and other well-known people it's their reputation that preceeds them. For 'ordinary' people that you see on this forum every day, it is their postings and interactions with other people (not just me) that paints a better picture of who they are. If I want to know more about something that was created by someone else in this community (a script, a package, a tool) I download and dissect it. I will get an idea of the quality of his work, which is the base for building trust. We do the same at SlackBuilds.org ('we' when I was still participating in the admin team but things have not changed there of course after I retired). Trustlevels also build up when other people (with a good reputation) speak highly of someone I do not know. If many people use the slackonly packages and are happy with it, that speaks in favor of those packages and their packager. But I still like it better when I have a good picture of someone whose packages I use. That someone does not have to be participating in this community at LQ of course - if Panagiotis is greek he will probably be spending a lot of time on greek forums instead. But then I will not get to know him, and ultimately that means I am less inclined to use his stuff. Same is true for slacky.eu, the package repository of the italian community. That too is a separate group of people, who interact in a language I do not understand, so I will not easily use their stuff. Quote:
Bottom line, you start with participating in a community, and when people get to know your online persona you will be able to build the credibility which you need to earn the trust of the community. When you yourself are not participating in a community and still want to be seen as trustworthy then you need proxies: people in that community who themselves are respected and have credibility, and who will vouch for your trustworthiness. But as I am the untrusting kind, I will nevertheless still dissect your stuff and form my own opinion of the quality of your work :-) |
In the time I've spent working on other distros, it doesn't matter their build environment, or that they sign their packages. There are certain maintainers that create sucky binary packages. It quickly ruins my trust of a distro, even when said maintainer just works on a few packages, since they let that person in. Eric is right, it always ends up having to trust the person on quality.
So I now know to avoid this community maintained distro rage, even more so now, even when it's not something I ever really had to spend much time in. This is coming from someone used to the quality of slackware for 15 years now :) In SBo, you can't necessarily prevent poor choices in packaging, but at least the packaging is one step moved back in the process from failing you. Now you get to decided your fate :) So to go an SBo-like community binary package delivery program seems a bit unnecessary, and contrary to its goals. There are still plenty of people that provide packages in Slackware? Do we need another one? |
A person can earn trust and not be trustworthy. It could all be apart of some master plan to compromise people's systems.
I bet Panagiotis' stuff is fine. I like the current Slackbuilds setup. If a binary file is suspect then the original source could be suspect as well. I doubt people are reviewing the source of every program/lib out there. People don't have a chance to review the code of commercial software that installs all kinds of stuff to protect itself and phones home daily. |
There are already things like palemoon and rar in SBo that link to binary packages instead of source.
Should be separated and tagged SlackRepack instead of SlackBuild as they appear to build something, but aren't building anything. |
Quote:
|
Quote:
Quote:
I have to admit, I begin to feel tired by the stubbornness I see in this community. It boils down to the following: someone wants to provide a packaged alternative to SBo. Why would anyone actively be against that? |
Quote:
Most people here appreciate precise language, and are offput by subtle innuendo or emotional appeal. The Parent poster Daedra asked for opinions and opinions were offered. That's all that's going on here. Why not let SBo do its thing, and let SlackOnly do its thing and slacky.eu and the others do their thing, and not worry about it!?! The thing that bothers me is somebody coming along (not you per se!) stating that some group or other should change the way they do things such as SBo start to offer binaries in the main. Not only is it an affront to the wonderful and generous work the SBo people do, but it speaks very ill IMHO in regards to those asking for that change. It speaks of an intrinsic selfishness which IMHO is the main problem we humans have on this planet! |
I don't think the question actually was "can the SBo team start providing binary packages". The wonderful thing about compartmentalization is that another team can build a piece of infrastructure (binary package repository) on top of a lower-level piece (SBo scripts). The SBo team does not have to be involved in this at all. Exactly like slackonly.com is doing in fact.
Having both allows some people to use just the SBo scripts (because they do not trust a foreign repository or like compiling better for whatever reason) while others will happily use the binary package repository because it is convenient. If you trust the person or team who provides packages, then there is nothing to fuss about, you just use those packages. I did not say or imply that I do not trust the team behind slackonly.com. The kind of trust I was talking about when I mentioned "web of trust" is not only trust in the benevolence of the team (are they secretly injecting malicious code or not) but also a trust in the quality of the packages (will they break my computer when I install them) and in the consistency of the team (will they still be providing an up to date package repository in one year from now). Building that web of trust will allows one to make a decision about use/skip quickly. So I would never be against such a repository, why should I? Some people will profit from having it available. And if someone is willing to spend time, money and resources to build and maintain such a repository for the community to use, that can only be applauded. It is irrelevant whether I would actually use those packages, as long as you trust these guys. Solarfields, my example was not implying that I would suddenly have less trust in your packages. It was an example of how interactions contribute to building trust. But... when someone says something I don't like then that does not mean the statement was false or incorrect, it's just me that took offense. I might find you a less likable guy perhaps, but it would not change the respect that I would have for your work. I may not have written such a coherent post, but it is late and I am tired. |
Not only No! but Hell No! Think about it.... then ask yourself "to what advantage and at what cost?" The only advantage OP noted was "more people" but really what that means is "more lazy, ignorant people". If you doubt this check out even fundamental questions asked on Mate, Ubuntu, etc. It's like the blind leading the blind. Slackware attracts people who are serious about the nuts and bolts. Why diminish that by appealing to lowest common denominator and become yet another "also ran"?
|
Quote:
(However, I believe it is appropriate to judge the choices of those who control the distributions and major projects, and I disagree with pretty much every significant decision Canonical has made since I started using Linux 5 years ago. But I digress -- I'm getting too far off-topic.) |
Quote:
There are certainly plenty of knowledgeable people on the forums of those distributions helping newbies out, just like there is here, so enorbet's worries seem to me to be worrying about absolutely nothing. Plus, the newbies that get helped will eventually learn enough not to be "blind", as he called them. |
If you add a "Download package" button you'll need to add an even bigger "Download package and all dependencies" button
Maybe even modify installpkg that so that giving it a package name also makes it hunt for dependencies or in lieu of that just make it try to install anything that looks vaguely package-ish Slightly tongue in cheek but there's only so far you can take the hand-holding. |
Quote:
|
Quote:
Sorry for being blunt; I really do agree with you, but your point wasn't pointing in the right direction :P |
Quote:
So I say IMHO SBO keep up the good work and if there is anyone willing to build all those packages please do so. |
Quote:
|
Options and optional dependencies.
How do you handle that? Multiple prebuilt packages each with a different combination of the options? Or is every package a kitchen sink package with all the options turned on? Isn't simpler just to point those that want things made beginner/lazy/idiot-friendly at Salix and get-slapt? |
Quote:
I can't talk about infected source codes as I don't have enough knowledge to look at source of every single package which I install. But, Putting aside all that ethical definitions about trust, I didn't notice any issue regarding package performance as same as SBo counterparts. Slackonly is another third party repo which gives more option to Slackware users. I don't encourage anyone to use it over Slackware maintainers repositories. For me it has lower priority than Alien, Roby and SBo. But, having more option attract more people and all of them are not lazy. |
Just wanted to chime in here. :twocents:
The beauty of SlackBuilds is one can add programs in the same manner that PV builds the OS we use and love. Programs can be tailored like a fine suit to fit each individuals needs, since most may have realized that the one size fits all---fits no-one well. SlackBuilds was officially endorsed by PV in an LQ thread not too long ago, saying that he was never asked to do so before. ;) As Alien stated if someone wants to create or host third party binary packages then have at it :hattip: , post the link on the forum like people have done with different "package managers", but don't expect it to be official or even endorsed (ok, I took the liberty to paraphrase and interpret his posts). If you read his prior posts in this thread he actually gave you tips on how to build trust so users will want to or consider using those binary packages. You see, those who use Alien, Robby's, Willy's packages etc... is because they are part of the Slack team, the inner circle so their packages are viewed as similar to in quality and trust as PV's, built with the same care and methodology, perhaps containing the same essence of Slack. ;) |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 01:40 AM. |