Date: Tue, 7 Jun 2016 20:50:18 -0400 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-pkg@freebsd.org Subject: Re: gem, pip et al vs. pkg Message-ID: <ac7e309e-0e44-c8e6-961a-0c179793d451@FreeBSD.org> In-Reply-To: <a3bc5362-660f-80d5-c64d-f439052b259f@aldan.algebra.com> References: <a3bc5362-660f-80d5-c64d-f439052b259f@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0I9ULP45f3koGD78XquCvOOoNOXHdaAoX Content-Type: multipart/mixed; boundary="gwh7LUbhXGpp2UHNQOW1lwXhEnPj3kLmK" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-pkg@freebsd.org Message-ID: <ac7e309e-0e44-c8e6-961a-0c179793d451@FreeBSD.org> Subject: Re: gem, pip et al vs. pkg References: <a3bc5362-660f-80d5-c64d-f439052b259f@aldan.algebra.com> In-Reply-To: <a3bc5362-660f-80d5-c64d-f439052b259f@aldan.algebra.com> --gwh7LUbhXGpp2UHNQOW1lwXhEnPj3kLmK Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 07/06/2016 18:21, Mikhail T. wrote: > The biggest problem here is that neither Python's > <https://www.davidfischer.name/2012/05/signing-and-verifying-python-pac= kages-with-pgp/> > nor Ruby's <http://guides.rubygems.org/security/>; packages are normally= > /signed/ (not sure about Perl's), so simply downloading them is > dangerous (not that this stops all people from using them anyway). But > this can be side-stepped by us maintaining a checksum file of our own -= - > it would still be easier and more concise to maintain such a table with= > one row per package, instead of an entire port-directory with multiple > files in it. Perl packages aren't normally signed either. However in all these cases I believe you can get a package checksum from an HTTPS site authenticated by certificate, which is at least better than nothing. > In the other direction, if someone were to install a Ruby gem using the= > gem-utility (or pip-perl, or pip-python, or even rpm), why aren't the > installed files registered in the pkg's database? We have the sources > for all of these utilities -- we can modify them to register the packag= e > and its files with the pkg. There's no technical reason why this couldn't be done. The lack is more down to no-one taking up the reins and pushing the project through. It used to be done for perl under the old packaging system -- remember BSDPAN? However there are a number of implementation niceties which never could be handled with the old pkg_tools: * There was a hard-wired requirement to be able map packages onto a path in the ports tree. This is no longer a big deal with pkg(8), and it may even be feasible to supply eg. an arbitrary URL as a package origin. * Recognizing that eg. a ported perl module and a module from CPAN (mutatis mutandis for other languages) are interchangeable. * Coping with dependencies other than additional modules from the same language. The ports handles this: most language specific / OS agnostic package collections do not. Functionally that means that modules with external dependencies should always be added to and installed from the ports. * Knowing how to detect the availability of updates for each of these different language specific modules. Ports doesn't at the moment have a sufficiently flexible means of specifying exactly what dependency versions could be used. For instance you can't say 'any version 1.2.x greater than 1.2.2 except for version 1.2.13 or else any version from 1.3.0 -- 1.3.x' There's more than just the three languages you mention which could benefit from this sort of treatment. Don't forget PHP/Pear modules; npm; and, not least, the granddaddy of all archive networks: TeX. Cheers, Matthew --gwh7LUbhXGpp2UHNQOW1lwXhEnPj3kLmK-- --0I9ULP45f3koGD78XquCvOOoNOXHdaAoX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXV2vRXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATLWcP/14XAS9D6Qsh3nB9HY42Ffe2 EC648483kEmDDTTz/zVqIqeLFQu5W3Be4kBGvWisGmFfaZydwAcgEc2/jnxdFtXF dejWKYaXnUwztgNIy52WbQP6OkU2xZBRkC7IAlBZaW6jOIW6iLNmQrsK+6PHqL30 xIpOBybfEWZD5z39CJ+9Uv6/VBn45/Y7vxEm8BpBQ+ZipgrFrv0iugeEBgP9OLgM hyi8Xt0nHvRlK2TwGt4JubA9NlWyBqAoi7CbbU2YOKayY/VLrRrherpK1zToj3vK 1zE7UAgfcHN58GYWllb9DYTPGaIfJmaj8MHN0aY4Efi1T4bJIVsy7vMq9jPD8xkz X1GkHCHaJRiF5gnLq+UhcDZUF47xJxkO5zEgcl9/2HPxVixv2yh1fzQN4k5sZNgF K8i6woQQqPT2CooSqrqb+M6o3R1Dm041vMp/Yh+27cQ5/vqlOZi3o5L4cMiU0gmp KqvxzTh5vY5VBO+XA87NiDWPoohlwHcJ5VRZXxNer4B7YKNN7Bk8emmmW5vzTDB7 BydxefVB+Ly9u8PcCpkFcYH54i+R0deiRFLZBQ2Sm4cBFU3nivFm1Keo5Ri4KSfa APL3psbcyLRzqjf2COktI0fl4xiSom6hPeOujs0cbN5mgu99Uq1LSP3QyZ19XrJF NEDg+OBVtG3YUlr3WA83 =GN96 -----END PGP SIGNATURE----- --0I9ULP45f3koGD78XquCvOOoNOXHdaAoX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac7e309e-0e44-c8e6-961a-0c179793d451>