On Thu, Jan 17, 2008 at 04:24:39PM +0000, Sam Lewis wrote:
> Sven Hoexter <[EMAIL PROTECTED]> writes:
Hi,
> > Sam please don't take it as an offense but I'd highly recommend to not
> > use those checkinstall packages for Debian/etch. The same reasoning
> > apply for Ubuntu so you might want to read on as an Ubuntu user
> > aswell.
> To clarify these are not official packages, but made available by me
> for other LyX users, on debian-based distros, who don't want to wait
> until official releases included these versions.
There will never be new versions in a stable release of Debian or Ubuntu.
(Beside maybe Firefox/Iceweasel but that's based on upstreams security
update policy and a different matter.)
> I've provided packages for several years and there have been no
> complaints. They are built on non-modified releases of etch and dapper
> and by reading the README file (that are also uploaded) one gets a good
> idea about build dependencies.
No complains can mean to things. Nobody used the package or nobody noticed
the problem.
You might guess it but there are control fields for build dependencies so
that you don't have to write them down in a second file.
> If 1.5.3 is is already available on backports.org that's great, and my
> packages are not be needed then. If not, than responsible users might
> choose to uses these.
It's not avaible on backports or but there is a backport avaible.
> > One backdraw is that you're forced to migrate to texlive from tetex
> > if you're still using tetex. This will happen with lenny anyway but
> > it will force you to download a few hundred MiB of texlive packages
> > along with the new LyX and boost packages.
>
> There are no tex-distro decencies set on my packages, one can uses
> whatever one likes. Indeed, I thought, it was in the very spirit of
> LyX, that some users provide there binaries for other users without
> predefining every interacting software.
> ./configure --with-qt-dir=/usr/share/qt4 --enable-optimization=-O3
> --prefix=/usr/local
At least you choose /usr/local which will prevent worst some breakage.
To be clear there are two sides of the story to consider:
a) The social/trust problem
There's someone providing binarys build on an unknown system with under
unknown conditions and you've to install those binarys as superuser.
So someone I don't know and by definition don't trust will do things
with superuser rights. That can't be good. You don't need to have to
be evil but you or your tool might do something bad.
I vaguely remember that someone last year noticed that people included
his repository of 3rd party Ubuntu packages in generic sources.list
files passed around in forums/mailinglists. So he decided to make
the naiv people using those lists aware of the problem and provided
a wallpaper upgrade for the user desktop with a big warning.
It made some press at that time but sadly I don't remember the name
of the guy but I guess with some proper search terms you should be
able to find it. The problem is very similar here. I would be surprised
if Juergen unpacked the provided packages to check at least the maintainer
scripts for some evil code. That still would not proofe that you did not
modify the LyX source.
b) Technical problems
ba) You're breaking the upgrade path.
Let's say under bad conditions the next Debian stable release will be
delivered with LyX 1.5.3 packages. What do you guess happens on a
system with etch running your packages on the upgrade? Bingo nothing
for the LyX package because it has the same version number.
So there will be users with an untrusted package compiled with some
completly different libs not matching there current system.
bb) Maintainer scripts have a reason
If you take a look at the diff.gz of the Debian packages you'll find
out that there are maintainer scripts for post/pre install execution.
That these scripts exists has a reason and the reason is not that
the package maintainers like to add some strange scripts to make
their packages look cool.
For example somebody doing QA work recently noticed that we've left
an /etc/lyxrc file on the system with the 1.4.x->1.5.x upgrade which
should not happen. So we're now cleaning up behind us with a maintainer
script which is of course bound to special versions. You'll break if
you install your current package an try to upgrade it at a later point
to a Debian version again. In this case it's only an unused old file
but it could of course be anything more important.
Another example might be the execution of texhash to integrate the
beamer files correctly.
bc) Dependencies don't exist for fun.
Dependencies are very near at the heart of any kind of package management
system. If you provide a package without proper dependencies you're
messing in a very sensitive area which is prone to cause subtle problems.
Libs change from time to time and you don't even notice that and you're
package manger can't even warn you.
bd) i386? And where is the rest?
Even Debian backports builds for more than i386 and amd64 so people can
choose and use the same package on every architecture. So this is no
advantage at this point where I can't provide amd64 buils on my own but
it's part of the technical reason why I hesitate to provide package on
my own.
I've only recommended Emilios repository because I don't see a sponsor
a backports.org upload in the near future and I would've prefered to
not actually link here to Emilios packages for this reason.
So my conclusion is: Don't ever install checkinstall packages! Use a
proper backport!
I didn't anounce Emilios backport here for a subset of the reasons I
listed above and in the mail before but they're a much better choice
now that this checkinstall story found away on the list.
Of course everyone should be free to decide what he would like to do.
I won't write mails to Juergen to get the checkinstall crap removed from
ftp.lyx.org or something similar but everyone should know about the pros
and cons. At least I don't see any benefit in the checkinstall crap but
I might be one of the rare cases of users who used one installation for
seven years with several hardware changes. If you'd like to reinstall
a clean system with every stable release of your distribution of choice
go ahead and use broken packages.
Cheers,
Sven
--
There's no need for tears, cause there's no need to cry.
That love that you leave will never be denied.
[ Flogging Molly - Laura ]
Gebuehrenboykott 2008 BU WTAL http://www.boykott-wuppertal.de
