[Gllug] Controversial Joel Spolsky article

Bruce Richardson itsbruce at uklinux.net
Sun Dec 21 11:37:03 UTC 2003 

On Sun, Dec 21, 2003 at 11:10:27AM +0100, John wrote:
> On Sat, 20 Dec 2003, Bernard Peek wrote:
> 
> > In message <20031220172217.GA12987 at phaistos.bruce>, Bruce Richardson 
> > <itsbruce at uklinux.net> writes
> > 
> > That's another aspect of what Joel was talking about. Windows systems 
> > are optimised to work without the need for a sysadmin. Linux on the 
> > desktop is moving in that direction.
> > 
> 
> Indeed. This sounds interesting (haven't tried it myself)
> http://themes.freshmeat.net/articles/view/1049

The author has a good point, in that traditional packaging schemes don't
allow for user-installed software.   Users on *nix systems have
traditionally simply unrolled tarballs into their own ~/src directories,
compiled them and installed them into their own ~/bin directories.  A
packaging system that addresses the same needs would be interesting.
Beyond that, however, his argument is specious.  The most misleading
part of it is the title, "Zero Install".  This is intended to imply no
installation overhead, no administration overhead and that is simply not
true.   The admin tasks have simply been moved from the sysadmin to the
user.

Most of the arguments on the page criticising traditional packaging
schemes are either not true, trivial or equally true of the "Zero
install scheme":

	" Scalability: The more software Debian provides, the longer it
	takes to update the packages list."
	This is equally true of the "Zero install" system and a very
	cheeky claim to make when the proposed system is only practical
	for user with broadband connections.  For such users, updating
	the apt repository package lists is a matter of seconds.  Otoh,
	if you have a slow dial-up connection than either option is time
	consuming.  However, the packaging system means that the time is
	consumed in one go, minimised because apt can be downloading
	several packages simultaneously, during which time you can be
	doing other things.  With Zero-install, that delay is simply
	moved to the very point where you don't want a delay - the time
	you decide to run the desired application.

	"You can't use Debian-packaged software on a Red Hat system"
	If the Zero-install packages are to be truly distribution
	independent then either they'll have to be statically compiled
	or require that all their library dependencies are also
	downloaded through the same system, significantly increasing the
	overhead of this scheme and introducing a lot of needless
	duplication.  Even then, it doesn't eliminate all the possible
	conflicts and breakages.

	"Security and stability risk: Running anything as root is a
	security risk. If the Debian package for AbiWord contains
	malicious code (or just a simple bug), it will be running that
	code as root"
	Anyone who switches to the proposed scheme will be running most
	of their applications out of a cache in their home directory, so
	they've simply moved the whole security problem from one
	location to another.  Their personal cache is going to be just
	as vulnerable to tampering by malicious code inserted into
	Zero-install packages.

	"APT is not scalable: Since every package is installed as root,
	every package must be carefully checked by a trusted Debian
	developer."
	If you only use the core system, yes.  There are plenty of
	unnofficial repositories that you can use at your own risk.
	With Zero-install, in contrast, every package is untrusted.
	You lose the ability to choose for yourself a small set of sites
	to trust and place yourself at the mercy of a vastly distributed
	and uncontrolled network.

	"Upgrading is very slow: Debian allows users to upgrade all
	their packages at once (with 'apt-get upgrade'). This allows
	users to keep up with security fixes and all the latest
	features.  However, it requires downloading a vast amount of
	software, most of which won't be used before it's upgraded
	again."
	Half-truths and misunderstandings.  Firstly, tracking security
	fixes rarely requires "vast" amounts of downloading, that's just
	self-serving exaggeration.  Secondly, how does he know it won't
	be used?  The whole point about malicious attacks is that you
	don't know when they will happen or what they will try and use?

I could go on, those pages are full of self-serving arguments and
distortions.  The author is entirely unrealistic about the issues, the
problems and the drawbacks of the proposed solution (and obviously
simply doesn't understand some admin tasks).  It's a shame, because
there are some good points amongst the guff.

-- 
Bruce

The ice-caps are melting, tra-la-la-la.  All the world is drowning,
tra-la-la-la-la.  -- Tiny Tim.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 261 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20031221/cce59754/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list