On Sat, 15 Mar 2003, Marcus Leonard wrote:
> Forgive me if this has been discussed in detail before; I'm new to > this list, so I've been going through previous lists but haven't > found anything yet that really addresses it (until I get flamed > and told...) No, no...this is perfect timing. The other flamewar I'm in the list seems to be winding up. mharris, just won't leave it well enough alone, keeps butting in ruining the whole aggressive flamewar feeling of the thread with "information" and "facts" and "reasonable opinions." But now yer here, so I can just flame you..before someone more civil and knowledgable steps in and ruins my fun. <snip> > But with RH 8.0, package management seemed to go backwards. > redhat-config-packages will pretty much only install off the > CDs (don't yell - I said pretty much); no configurable FTP/HTTP > repositories (that I'm aware of), no apparent acknowledgement > of apt so far, etc. Most people appear to agree that the tool > is too simple as it stands. There is a mismatch here: given > that everything else in the distro is getting so polished, this > lack seems conspicuous. http://people.redhat.com/tcallawa/faq.html#apt-get Red Hat's internal culture seems to becoming more and more concerned about security and supportabiliy all through its product offerings...including security with regard to 3rd package installs. I think the paragraph from that FAQ states the issues nicely...issues of security and trust. Should Red Hat make it easy for you to point and click you way to install or more importantly UPGRADE packages that don't live up to Red Hat's QA standard? I don't necessarily think so. package automation tools can do a lot behind the scene, replacing Red Hat packages that you may not be completely aware of, if you are a newbie, that could very quickly lead to a system configuration Red Hat cannot provide support for. If yer not a newbie, and know enough to understand the risks of upgrading to 3rd party packages in a blind automated way....then you probably know enough to go grab, something like apt or yum or grab. I see no problem whatsoever having users, who want to customize their system and know enough to do it safely, go out on the internet and download ONE rpm by hand...and install ONE rpm by hand, to get a community based packaging tool up and running. I do have a problem however, including a packaging tool like apt-get in Red Hat, and having someone like my mom, try to use it to download a program she wants from some random apt repository, and having apt-get try to uninstall such core things as glibc and replace them with a non Red Hat version. Sounds funny doesn't. I've seen people show up in irc complaining about situations like that with apt, just recently in fact. If Red Hat included apt into its distro, there would be an expectation that Red Hat would be able to support it and clean up after its messes, when it goes wrong or when it installs a trojaned application. You have to TRUST apt repository creators, and now I may TRUST them, and you may TRUST them... maybe Red Hat should NOT TRUST them, out of the box...if there is no way for Red Hat to be assured that the packages they provide meet a minimum QA specification. Do you give the power users what they need? Or do you protect newbies with a bad downloading addiction from hurting themselves. Hmm...which is the better business model? I am hopefully that the linux user community can step up and provide an addon package management solution that addresses some of the security and trust issues that current systems have. http://fedora.mplug.org/ > Phoebe looks good (actually I'm pretty impressed overall), > but I still wonder about the conspicuous absence of advanced > package management. The other popular distros are conspicuous > by their inclusion, often, of several packages that do the same > thing. I guess the other distros aren't as focused on security....shrug..you'd have to talk to them about it. -jef -- Phoebe-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/phoebe-list
