logo

blog

My little blog can’t be this cute! git clone https://hacktivis.me/git/blog.git
commit: f861371350094426f1a57a4b39aea4359f13f324
parent 5ff7d3602acbc348a78c1dc242ca446d615543ef
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Tue, 16 Aug 2016 08:42:02 +0200

articles/Repo-less packages, Docker, AppImage and others curl|sh: New article


Diffstat:


Aarticles/Repo-less packages, Docker, AppImage and others curl|sh.html27+++++++++++++++++++++++++++


Aarticles/Repo-less packages, Docker, AppImage and others curl|sh.shtml16++++++++++++++++


2 files changed, 43 insertions(+), 0 deletions(-)

diff --git a/articles/Repo-less packages, Docker, AppImage and others curl|sh.html b/articles/Repo-less packages, Docker, AppImage and others curl|sh.html
@@ -0,0 +1,27 @@
+<h1>Repo-less packages, Docker, AppImage and others curl|sh</h1>
+<p>Seriously, after <a href="http://breizh-entropy.org/wiki/systemd">SystemD</a>OS, what could I except for thoses LazyUSERS trying to act as system-admin (sorry to people that need to work with thoses tools).</p>
+<p>I know theses tools can help thoses that doesn’t want/know-how to do sys-admin, but seriously. Most people do know how to use a package manager to install few apps. (Otherwise people would not use App Store, Android Market^W^WPlay Store and various organisations would not try to use them for whatever product).</p>
+<p>Also with this types of tools(I’ll call them lazy-pkgs) you reduce security to almost nothing. Yes, AppImage doesn’t use root privileges, it doesn’t make it unharmfull, it can still do damage (like bumblebee/optimus and steam removing everything in the home directory). Yes, docker binairies doesn’t directly use the kernel and already available tools, well how do you expect lazy-pkgs to manage security flaws? (Try to imagine another heartbleed, shellshock, …). I heard docker as a daemon(which looks like a systemd clone that works on top of systemd, how meta).</p>
+<p>For a simple comparison here is what package managers I met for a long time have:</p>
+<ol>
+	<li>Security updates (security.debian.org // unattended-upgrades, emerge -a @security, …)
+	<li>The Source/Binairies of the package
+	<li>For Binairies: How it’s builded
+	<li>Some patches and extra software (rc script, systemd-service.xml)
+	<li>Verification (hashes or better, OpenPGP)
+	<li>Dependencies (I know theses are horrible, but removing a warning light won’t remove the warning, otherwise just unplug your machine)
+	<li>Scripts for compiling, (un)installating, configuring, updating
+	<li>Meta-data (like description, homepage, issues, source code repository, …)
+	<li>Stability (in debian it’s per repo but in Gentoo it’s in the package ebuild)
+</ol>
+<p>And here is what lazy-pkg have(From what I’ve heard, as I don’t want theses.)</p>
+<ol>
+	<li>Binairies (poor BSDists)
+	<li>If not included, dependencies(on a specific repo, like alpine for docker)
+	<li>Some have verification (but mostly sucks)
+	<li>Scripts for compiling, (un)installating, configuring, updating (or even services/RC like docker)
+</ol>
+<p>Well, not hard to notice that it as many thing removed. Poor security, customisation and filesystem tidyness(as packages are no longer managed by a tool). It’s somewhat even worse than Windows (XP, dunno later versions) as with this horrible-ness you still had dependencies(.NET Framework, DirectX, VisualBasic, …) and you still could remove and choose a bit of what’s in your system. Now if the NSA, DGSI, GRU or any other government (secret) agency want a huge backdoor they just have to ask the maintainer, even less people would notice as it’s more obscure.</p>
+<p>Also, for the time being lazy-pkgs are being used by commonly trusted organisations. But what if non-trusted but mandatory(like drivers) organisations start using your tools like they so badly do with .deb and .rpm (and sometimes with tarballs)</p> 
+<p>I understand the idea of doing one package for tons of distros, but you’re doing it wrong. I think if you still want lazy-pkgs you should make/re-use a separate package manager(like pip for python, luarocks for lua, gem for ruby, …).</p>
+<p>Anyway stay with Blob, I’ll keep building everything from source (so I can verify it’s really Open-Source), even non-executables like documentation and keep blobs into a separate system and say that I want OpenPGP for the gentoo repo.</p>
diff --git a/articles/Repo-less packages, Docker, AppImage and others curl|sh.shtml b/articles/Repo-less packages, Docker, AppImage and others curl|sh.shtml
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+	<head>
+<!--#include file="/templates/head.shtml" -->
+		<title>Repo-less packages, Docker, AppImage and others curl|sh — Cyber-home of lanodan</title>
+		<link type="application/rss+xml" href="/rss" title="flux RSS" rel="alternate"></link>
+	</head>
+	<body>
+<!--#include file="/templates/en/nav.shtml" -->
+		<article>
+<!--#include file="/articles/Repo-less packages, Docker, AppImage and others curl|sh.html" -->
+		</article>
+		<a href="/articles/Repo-less%20packages%2C%20Docker%2C%20AppImage%20and%20others%20curl%7Csh.html">article only(plain HTML)</a>
+<!--#include file="/templates/en/footer.html" -->
+	</body>
+</html>