[haiku-development] Re: Some thoughts on package management
- From: Adrien Destugues <pulkomandy@xxxxxxxxx>
- To: haiku-development@xxxxxxxxxxxxx
- Date: Thu, 17 Oct 2013 22:16:00 +0200
> There is no difference between packages installed via pkgman and those
> installed manually. You can download a package from the haikuports
> repository and install it manually, and -- the feature has not been
> implemented yet -- pkgman will also be able to install a local package
> file. It is not relevant by which method a package is installed. The
> relevant information is encoded in the package meta data: the package
> vendor.
There is no difference as far as the system is concerned. It could help with
managing the repositories if we start having a lot of them. The user may want
to do some cleanup and answer questions such as: how much packages did I got
from this repo ? are they still installed ? are they available elsewhere ?
I don't think adding a source attribute to the packages (this would be set by
pkgman or HaikuDepot when installing the package, and requires no change to
the package daemon) can do any harm, and it makes it much easier to track
which packages comes from where.
It could also help detect where a broken package comes from. Let's say you
notice a package is corrupted, some time after installing it. Was the
corruption done during download ? while the file was stored on disk because
of a BFS bug or a system crash ? or does the package comes from a repo that
has corrupted it (on purpose or not) ? Knowing where the package was
downloaded from would help with checking the source and see if it still
matches. Sincethe vendor field is only informative, without any signing key
or certificate of any kind, a malicious repo could also provide packages with
a faked vendor field and corrupt your system (again, either on purpose or
because the repo itself was attacked by someone). Looking at the source
attribute would then help know which repo (or mirror) is at fault.
--
Adrien.
Other related posts:
