[OT] Weaknesses of distro package managers - was Re: Python 2 to 3 conversion - embrace the pain

Ben Finney ben+python at benfinney.id.au
Mon Mar 16 22:40:07 EDT 2015 

Thanks for discussing this, Michael.

Michael Torrie <torriem at gmail.com> writes:

> For developers things are even more grim. Package managers certainly
> don't work so well for third-party apps like VirtualBox, LibreOffice,
> Firefox, etc. Part of the issue is the multiple moving targets distros
> present in terms of what's available in the system. It's so bad in
> fact that major projects that offer binary packages on their web sites
> end up bundling copies of libraries they use, such as GTK, SSL, etc.

In my experience it's far more extensive than that. The trend seems to
be to bundle every third-party library with one's own work, and dump it
all in the end-user's lap.

> This is how VirtualBox, Firefox, and LibreOffice all do it. It works

It “works fine” only if you ignore:

* The third-party library will have bug fixes.

  Upgrading the OS package for libGTK will get those bug fixes, but
  won't affect all the bundled ones in other packages. Who is
  responsible for fixing those?

* The third-party library will have security vulnerabilities. This is a
  special, but fairly common, case of needing a bug fix.

  The operating systems will make it a priority to upgrade the OS
  package for the library, and the package manager makes sure that's as
  easy as can be feasible so there's some chance it will be fixed.

  Who is responsible for fixing all the bundled versions of the library
  with bug fixes?

* The third-party library willl behave differently from the OS packaged
  version.

  Often, for the developer, that is exactly the point: the developer
  doesn't want the OS packaged version because they want a version with
  different behaviour. So they bundle a specific version, to heck with
  what the OS provides.

  From the point of view of the user, though, deviations from how they
  expect the OS to behave are a bug. If libGTK makes some widget behave
  in a particular way all across the operating system, except in program
  FooBar and BuzQuux, they're going to consider those two programs
  buggy. In my opinion they're correct: those programs should work with
  the rest of the OS, not be rogue.

> but it's wasteful and they still have to target at least three to five
> different distro/package manager combinations.

I think “wasteful” is not much of an issue (and is less of an issue as
storage becomes plentiful). Far more problematic are the divergences
between OS packaged libraries and bundled libraries, as I detailed
above.

> Ideally you should get your package in a mainline repo where
> ostensibly it's updated and maintained and just works with your distro
> of choice. Except when it doesn't.

Thanks again. This is an important and difficult problem, with competing
forces at play, and I am not at all satisfied with the current state of
packaging.

-- 
 \           “He who wonders discovers that this in itself is wonder.” |
  `\                                          —Maurits Cornelis Escher |
_o__)                                                                  |
Ben Finney

More information about the Python-list mailing list