[conspire] Why to use packages if you can -- and reasons you might not
Rick Moen
rick at linuxmafia.com
Fri Jan 14 16:19:21 PST 2005
Quoting Barton L. Phillips (barton at applitec.com):
> What are your thoughts on source packages? I have had to use several
> source packages that just didn't seem to be available as binary.
Here's the rest of the e-mail thread that prompted that question:
>From rick Thu Jan 13 09:36:25 2005
Date: Thu, 13 Jan 2005 09:36:25 -0800
To: Karsten Self <kmself at ix.netcom.com>
Cc: barton at applitec.com
Subject: Afterthought about user "education"
X-Mas: Bah humbug.
User-Agent: Mutt/1.5.6+20040722i
Karsten --
Just trying to complete a thought I was trying to convey to you,
earlier. Many outsiders to Linux, including that guy yesterday who
wrote to argue with my virus essays (whom, what the hell, I'm CCing),
will reject out of hand the notion of casual users becoming enlightened
or helped through contact with the Linux community. I discovered this
for myself when people started creatively misreading essays #virus
through #virus4 , and objecting:
"How can you say Linux won't develop malware problems as bad as those of
Windows as soon as there are significant numbers of naive users?
They'll do any old stupid thing, at any time and always."
My first pass at an answer was: They'll enjoy default protections much
better than those in Windows, enforced by the technology and the
culture, which are mutually reinforcing.
Problem is: the listeners reject out of hand the notion of being
educated by "culture", without really quite comprehending what I'm
saying. They visualise some itinerant longhair Unix geek in sandals
going around preaching in malls: Can't work, y'see.
But that's, of course, _not_ what I'm talking about, when I use the word.
I'm referring to attitudes and system philosophies that persist because
they _are_ culturally established in the developer and technical user
community, but more important, because they are so well established
there, are written into -- pervade -- the way the system works, a system
that by design is written to make it significantly more difficult and
significantly less natural to do the wrong, risky thing than to do the
right, less risky thing.
Handy example: the extreme convolutions one must go through in order to
run an executable program a net.random sends you in the mail (never mind
with root authority), given the assumption that one has a daft
inclination to do so. And other examples can be found throughout the
system, thanks to the systematic differences inside *ix systems compared
to Windows ones that are summarised at the end of #virus5 and best
(to my knowledge) detailed in the Petreley study.
But, of course, everyone does at least one security screw-up. *ix
people are, by and large, the ones with the effective recovery, coping,
and improvement mechanisms -- and information resources to help avoid
recurrences. ("Boy, you completely ignored your system maintenance
regime and installed some 'great program' just because you got mail from
a net.random telling you to su to root and run it? Wow, that's a big
hole you shot in your foot. Care to learn how to aim elsewhere?")
This morning, in any event, I just had a follow-up realisation:
Encountering corrective guidance from the Linux community doesn't
require itinerant beatniks in shopping malls. The Linux community is
busy blabbing all over the Net, bloody well all night and all day. With
everything documented, mirrored, discussed, and FAQed to a
fare-thee-well. Even underemployment and massive sleep deficits
couldn't shut us the hell up.
My point?
The "culture" is _only as far away as your nearest Google search_ --
anywhere on the planet. Hell, _not_ encountering and being helped by
the Linux community (with or without being explicitly aware of that
happening)? That would pretty much require living in a cave!
Date: Thu, 13 Jan 2005 21:29:20 -0800
From: "Karsten M. Self" <kmself at ix.netcom.com>
To: Rick Moen <rick at linuxmafia.com>
Cc: Karsten Self <kmself at ix.netcom.com>, barton at applitec.com
User-Agent: Mutt/1.5.6+20040907i
Subject: Re: Afterthought about user "education"
on Thu, Jan 13, 2005 at 09:36:25AM -0800, Rick Moen (rick at linuxmafia.com) wrote:
> Karsten --
>
> Just trying to complete a thought I was trying to convey to you,
> earlier. Many outsiders to Linux, including that guy yesterday who
> wrote to argue with my virus essays (whom, what the hell, I'm CCing),
> will reject out of hand the notion of casual users becoming enlightened
> or helped through contact with the Linux community. I discovered this
> for myself when people started creatively misreading essays #virus
> through #virus4 , and objecting:
>
> "How can you say Linux won't develop malware problems as bad as those of
> Windows as soon as there are significant numbers of naive users?
> They'll do any old stupid thing, at any time and always."
>
> My first pass at an answer was: They'll enjoy default protections much
> better than those in Windows, enforced by the technology and the
> culture, which are mutually reinforcing.
Structural advantages, yes.
> Problem is: the listeners reject out of hand the notion of being
> educated by "culture", without really quite comprehending what I'm
> saying. They visualise some itinerant longhair Unix geek in sandals
> going around preaching in malls: Can't work, y'see.
>
> But that's, of course, _not_ what I'm talking about, when I use the word.
> I'm referring to attitudes and system philosophies that persist because
> they _are_ culturally established in the developer and technical user
> community, but more important, because they are so well established
> there, are written into -- pervade -- the way the system works, a system
> that by design is written to make it significantly more difficult and
> significantly less natural to do the wrong, risky thing than to do the
> right, less risky thing.
I take this a bit further, and there's some of this in the
"WhyDebianRocks" TWikIWeThey page:
http://twiki.iwethey.org/Main/WhyDebianRocks
Specifically for Debian: the culture is embedded in the project's
Policy, and via policy, in the tools and architecture of the
distribution itself.
I also address this in the "Some cultural observations" section of that
essay:
The short version of this section is: adware / spyware / malware is
the logical outcome of the competitive, proprietary software market
of the past several decades. The system has promoted cut-throat
competition, and by gum, it's got it. This is in marked contrast to
a more cooperative model adopted elsewhere. The rest being the
longer story.
...
It's a maxim of incentive systems that you get the behavior you
reward, and currently, that's aiming for the desktop or user's
eyeballs, no matter what. And marketing execs (in this narrow scope
at least) are rational animals.
As the essay continues: Debian's policy specifies behaviors which are
and are not allowed of packages and their installation / removal
routines. And this is critical:
Policy violations are release critical bugs which will exclude a
package from a stable release.
(I *know* you know this Rick, it's largely for barton's benefit).
Which is great if users restrict themselves to installing software from
within the archive. As I argue, they've got a lot of reasons to do so,
and software developers have a lot of incentive to get their software
into the archive. As I note, with few exceptions, the Debian project
itself doesn't have a horse in the race, and third-party developers find
it beneficial to cooperate on allowing software to be packaged for the
system.
Net effect: very few Debian users install much if any software outside
the packaging system. Speaking for myself:
- RealPlayer. It sucks, but is emblematic of problems imposed by
rights restrictions on digital audio/video media. Installed from
vendor's RPM via 'alien'. Actually ran into a package conflict on
one system and nuked RP as a consequence.
- Flash player. Vendor installation script.
- mplayer. Actually a third-party DEB. If you'll note a theme, all
of these tools are A/V players, a class of software grossly effected
by constraints imposed by A/V commercial interests such as the RIAA
-- a transparent mask for Sony (Japan), EMI (England), Warner (USA),
BMG (Germany), Universal (France), the so-called American recording
industry, to hide behind -- and MPAA. Mplayer suffers from patent
encumberances and is excluded from the primary (or even non-US)
Debian archives.
- XPde. This is a GNU/Linux desktop designed to emulate the legacy MS
Windows XP desktop. I track it periodically just to track
development. Impressions, you ask? Progress has been slow, and as
a migration tool it's utility is decidedly limited. Google 'uncanny
valley' for an analagous principle, and IMO the weakness of such
blatant aping of alien interfaces. Neat as a novelty tool though:
http://linuxmafia.com/~karsten/Images/XP-screen.png
- BrowseX[1] A Tk/Tcl GUI web browser. I maintain an
(aging) FAQ on GNU/Linux web browsers. BrowseX is a self-contained
binary useful on small systems.
Otherwise, any non-Debian software on my system is of my own writing,
largely scripts of various description.
While n00bs might not so _conciously_ opt to avoid installation of
random third-party software, the fact remains that it's vastly more
convenient to install and maintain software through Debian's own package
management system. And this suffices for 99.736% of my software needs.
> Handy example: the extreme convolutions one must go through in order to
> run an executable program a net.random sends you in the mail (never mind
> with root authority), given the assumption that one has a daft
> inclination to do so. And other examples can be found throughout the
> system, thanks to the systematic differences inside *ix systems compared
> to Windows ones that are summarised at the end of #virus5 and best
> (to my knowledge) detailed in the Petreley study.
..and while a program _could_ emerge which did execute arbitrary code,
it would:
- Find itself discussed as a security risk on numerous distro's own
package management teams.
- Likely be excluded from inclusion based on security issues.
- Be faced with the option of modifying functionality _or_ finding
other means of distribution.
- Do all of the above while competing with free, superior, and more
highly recommended alternatives.
While a proprietary alternative _might_ find itself with marketing
muscle sufficient to overcome some of these hinderances, it would be an
expensive prospect to little immediate benefit. Microsoft could pull
off the trick, but few other players could.
> This morning, in any event, I just had a follow-up realisation:
> Encountering corrective guidance from the Linux community doesn't
> require itinerant beatniks in shopping malls. The Linux community is
> busy blabbing all over the Net, bloody well all night and all day. With
> everything documented, mirrored, discussed, and FAQed to a
> fare-thee-well. Even underemployment and massive sleep deficits
> couldn't shut us the hell up.
>
> My point?
>
> The "culture" is _only as far away as your nearest Google search_ --
> anywhere on the planet. Hell, _not_ encountering and being helped by
> the Linux community (with or without being explicitly aware of that
> happening)? That would pretty much require living in a cave!
Yeah, but it's more than even that, Rick. The culture pervades the
architecture, the project dynamics, tools, packaging, and practices.
*And* there's an environment in which software which opposes the culture
finds itself with major hurdles to distribution and acceptance.
Not a 100% secure proof, but a damned good start.
Peace.
--------------------
Notes:
1. *Not* BrowSex.
--
Karsten M. Self <kmself at ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Free Software Primer -- concepts you need to understand
http://twiki.iwethey.org/Main/FreeSoftwarePrimer
Date: Fri, 14 Jan 2005 12:53:00 -0800
From: Rick Moen <rick at linuxmafia.com>
To: "Karsten M. Self" <kmself at ix.netcom.com>
Cc: barton at applitec.com
Subject: Re: Afterthought about user "education"
X-Mas: Bah humbug.
User-Agent: Mutt/1.5.6+20040722i
Quoting Karsten Self (kmself at ix.netcom.com):
> While n00bs might not so _conciously_ opt to avoid installation of
> random third-party software, the fact remains that it's vastly more
> convenient to install and maintain software through Debian's own
> package management system. And this suffices for 99.736% of my
> software needs.
This was my main point, and applies equally for all other distributions
with functional package management.
The more path-of-least-resistance and routine the package regimes
become, the more suggestions to retrieve software from non-standard,
dubious locations, outside the package regime (_and_ install it as root)
tend to stand out as peculiar and suspicion-worthy. People who go out of
their way to do that, and blow up their systems, will eventually
realise that systems never thus treated keep running smoothly.
Because running a compromised, zombified system isn't _normal and accepted_
on our platform, screwups stand out, and notable hazards get rooted out.
Helping you out, a bit:
> - RealPlayer. It sucks, but is emblematic of problems imposed by
> rights restrictions on digital audio/video media. Installed from
> vendor's RPM via 'alien'.
FYI, there's a much better strategy: Do it via debs. Instructions
are on "RealPlayer" on http://linuxmafia.com/kb/Apps/AV/ -- covering
both the RP8/RP9 player and its recent RP10 successor.
RP10, interestingly, consist mostly of code under the OSI-approved
(and vaguely MPL-like) RealNetworks Public Source License, plus some
binary-only proprietary modules -- the latter differentiating it from
the all-RPSL Helix DNA Client player.
> - Flash player. Vendor installation script.
Which you should _not run_. Instead, install Debian package
flashplugin-nonfree, which will yank down Macromedia's flash_linux.tar.gz
and install its contents in Debianised fashion without running the
vendor script (and ensuring that the package system knows of it).
> - mplayer. Actually a third-party DEB.
FYI, just in case you didn't know that Christian Marillat's
marillat.free.fr repository is gone, it is -- but there's a replacement
site at ftp://ftp.nerim.net/debian-marillat/ .
> If you'll note a theme, all of these tools are A/V players, a class of
> software grossly effected by constraints imposed by A/V commercial
> interests such as the RIAA -- a transparent mask for Sony (Japan), EMI
> (England), Warner (USA), BMG (Germany), Universal (France), the
> so-called American recording industry, to hide behind -- and MPAA.
> Mplayer suffers from patent encumberances and is excluded from the
> primary (or even non-US) Debian archives.
mplayer also suffers a prohibitive licence-conflict problem. Otherwise,
all the A/V packages you cite are known to not sabotage system behaviour
and security.
(People were justly suspicious of the RP player engine for a long time,
which is one reason people snagged the codec libraries and used them in
mplayer/i386: A mere binary-only codec is less likely to do mischief.)
> - XPde.
Sole obstacle to Debian inclusion would be fears of look-and-feel
copyright litigation, which since Lotus v. Borland and Apple v.
Microsoft judgements have been less of a threat, being better understood
and less open to worries about scope. But no Debian developer has sent
an intent to package, so it hasn't come up (either not their cuppa, or
too beta, would be my guess).
More information about the conspire
mailing list