logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Let-distros-do-their-job.md (6179B)

    

  1. ---
  2. title: "Developers: Let distros do their job"
  3. date: 2021-09-27
  4. ---
  6. I wrote a post some time ago titled [Developers shouldn't distribute their own
  7. software][0], and after a discussion on the sr.ht IRC channel today, the topic
  8. seems worthy of renewed mention. Let's start with this: what exactly is a
  9. software distribution, anyway?
  11. [0]: https://drewdevault.com/2019/12/09/Developers-shouldnt-distribute.html
  13. I use "software distribution" here, rather than "Linux distribution", because it
  14. generalizes better. For example, all of the major BSD systems, plus Illumos and
  15. others besides, are software distributions, but don't involve Linux. Some differ
  16. further still, sitting on top of another operating system, such as Nix or
  17. pkgsrc. What these systems all have in common is that they concern themselves
  18. with the *distribution* of *software*, and thus are a *software distribution*.
  20. An important trait of these systems is that they function independently of the
  21. development of the software they distribute, and are overseen by a third party.
  22. For the purpose of this discussion, I will rule out package repositories which
  23. are not curated by the third-party in question, such as npm or PyPI. It is no
  24. coincidence that such repositories often end up [distributing][1] [malware][2].
  26. [1]: https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/
  27. [2]: https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
  29. Software distributions are often volunteer-run and represent the interests
  30. of the users; in a sense they are a kind of [union][3] of users. They handle
  31. building your software for their system, and come to the table with
  32. domain-specific knowledge about the concerns of the platform that they're
  33. working with. There are hundreds of Linux distros and each does things
  34. differently — the package maintainers are the experts who save you the
  35. burden of learning how all of them work. Instead of cramming all of your files
  36. into /opt, they will carefully sort it into the right place, make sure all of
  37. your dependencies are sorted upon installation, and make the installation of
  38. your software a single command (or click) away.
  40. [3]: https://en.wikipedia.org/wiki/Trade_union
  42. They also serve an important role as the user's advocate. If an update ships
  43. which breaks a bunch of other packages, they'll be in the trenches dealing with
  44. it so that the users don't face the breakage themselves. They are also the first
  45. line of defense preventing the installation of malware on the user's system.
  46. Many sideloaded packages for Linux include ~~telemetry~~ spyware or adware from
  47. the upstream distributor, which is usually patched out by the distribution.
  49. Distributions are also working on innovative projects at the scale of the entire
  50. software ecosystem, and are dealing with bigger picture things than you need to
  51. concern yourself with. Here are some things which they have already solved:
  53. - Automatic updates and dependency management
  54. - Universal cryptographic signatures for all packages
  55. - Worldwide distribution and bandwidth sharing via mirrors
  56. - System-wide audits of software installed on your machine
  57. - CVE management and patch distribution
  58. - Long-term support
  60. There are several areas of open research, too, such as reproducible builds or
  61. deterministic whole-system configuration like Nix and Guix are working on. You
  62. can take advantage of all of this innovation and research for the low price of
  63. zero dollars by standing back and letting distros handle the distribution of
  64. your software. It's what they're good at.
  66. There are a few things you *can* do to make this work better.
  68. - Ship your software as a simple tarball. Don't ship pre-built binaries and
  69.   definitely don't ship a "curl | bash" command. Naive users will mess up their
  70.   systems when they use them.
  71. - Use widely adopted, standard build systems and methodologies. Use the standard
  72.   approach for your programming language. They have already been through the
  73.   gamut of distros and their operating modes are well-understood by packagers.
  74. - [Ship good release notes][4]. Distro packagers read them! Give them a head's
  75.   up about any important changes which might affect their distro.
  76. - Be picky with your dependencies and try to avoid making huge dependency trees.
  77.   Bonus: this leads to better security and maintainability!
  78. - Maintain a friendly dialogue with distro maintainers if and when they come
  79.   asking questions. They're the expert on their distro, but you're the expert on
  80.   your software, and sometimes you will meet to compare notes.
  82. *See also: [FOSDEM 2018 - How To Make Package Managers Cry](https://archive.fosdem.org/2018/schedule/event/how_to_make_package_managers_cry/)*
  84. [4]: https://drewdevault.com/2021/05/19/How-to-write-release-notes.html
  86. One thing you shouldn't do is go around asking distros to add your program to
  87. their repos. Once you ship your tarballs, your job is done. It's the *users* who
  88. will go to their distro and ask for a new package. And users — do this! If
  89. you find yourself wanting to use some cool software which isn't in your distro,
  90. go ask for it, or better yet, package it up yourself. For many packages, this is
  91. as simple as copying and pasting a similar package (let's hope they followed my
  92. advice about using an industry-standard build system), making some tweaks, and
  93. building it.
  95. Distros are quite accessible projects, packaging is usually not that difficult.
  96. Distributions always need more volunteers, and there are plenty of friendly
  97. experts at your local distro who would be pleased to help you figure out the
  98. finer details, assuming you're prepared to stand up and do the work yourself.
  99. Once you get used to it, making and submitting a new package can take as little
  100. as 10 or 15 minutes for a simple one.
  102. Oh, and if you are in the developer role — you are presumably also a user
  103. of both your own software and some kind of software distribution. This puts you
  104. in a really good position to champion it for inclusion in your own distro :)
  106. ---
  108. P.S. Systems which invert this model, e.g. Flatpak, are completely missing the
  109. point.