Zero Install

Thomas,

Thanks a lot for your work on 0install in general and for this table in 
particular. Would be nice to have Klik as a installation system also, 
but I know that you have little time. I can help you with voluntary 
spanish translations of your pages (have you considered a license for 
the documentation in web pages, diagrams and so on?. I would advice you 
the creativecommons atribution share alike), but may be you're a more 
authoritative source for comparation with Klik (you can use it from 
Kanotix Live CD if no have enougth time for a hard disk install).

Cheers,

Offray

Thomas Leonard wrote:

>As people often ask how Zero Install compares with other systems, I've
>put up a table showing the features of source tarballs, APT,
>autopackage, Java Web-start, the Zero Install filesystem and the
>injector:
>
>	http://0install.net/matrix.html
>
>Obviously, these things tend to be a bit biased (both in terms of what
>features you choose to compare, and of what you consider to be a 'pass')
>but I think it gives the general idea.
>
>Please send any complaints that I've got something wrong here and I'll
>update it.
>
>
>  
>

On Wed, Sep 21, 2005 at 06:04:48PM +0200, Ivan Popov wrote:
[ matrix ]
> you did not mention Konvalo, which somehow qualifies for "yes" on all rows
> (given Coda filesystem availability, which itself is the root user decision)

Added. I put "Non-root install of system" as "No", as I don't think you
can use it on any normal default Linux install (i.e, a typical Linux
user can't use Konvalo without having root access).

Could you explain the security system in more detail? I don't quite
understand coda's system (clog authenticates clients, doesn't it?).
Unfortunately, code-client won't install at the moment so I can't test
it :-(

In particular:

- If konvalo.org was using digital signatures, could a user on a clean
  (but coda-enabled) system access it securely without needing root
  access?
  
- If they could, would this affect other users? How do users decide
  whether to trust a particular key?

> Another, less important issue :-)
> a typo? : "with systems" should be probably "which systems"?

Fixed! Thanks,


-- 
Dr Thomas Leonard		http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1

On Wed, Sep 21, 2005 at 06:25:18PM +0000, Offray Vladimir Luna Cárdenas wrote:
> Thomas,
> 
> Thanks a lot for your work on 0install in general and for this table in 
> particular. Would be nice to have Klik as a installation system also, 
> but I know that you have little time.

Done. Could someone check it? As with the last time I tried to
investigate klik, the site is down! In particular, how does upgrading
work?

> I can help you with voluntary spanish translations of your pages (have
> you considered a license for the documentation in web pages, diagrams
> and so on?. I would advice you the creativecommons atribution share
> alike),

I'll add a license note. CC is what I use for rox.sf.net, so it should
be fine here too. Do you want to host the translated pages yourself or
on sourceforge?


-- 
Dr Thomas Leonard		http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1

Mr. Leonard,

     It might also prove useful to have a comparison for "Applications may=
=20
be used offline after initial use"

On Thu, 22 Sep 2005, Thomas Leonard wrote:

> On Wed, Sep 21, 2005 at 06:25:18PM +0000, Offray Vladimir Luna C=C3=A1rde=
nas wrote:
>> Thomas,
>>
>> Thanks a lot for your work on 0install in general and for this table in
>> particular. Would be nice to have Klik as a installation system also,
>> but I know that you have little time.
>
> Done. Could someone check it? As with the last time I tried to
> investigate klik, the site is down! In particular, how does upgrading
> work?
>
>> I can help you with voluntary spanish translations of your pages (have
>> you considered a license for the documentation in web pages, diagrams
>> and so on?. I would advice you the creativecommons atribution share
>> alike),
>
> I'll add a license note. CC is what I use for rox.sf.net, so it should
> be fine here too. Do you want to host the translated pages yourself or
> on sourceforge?
>
>
> --
> Dr Thomas Leonard=09=09http://rox.sourceforge.net
> GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download it for free - -and be entered to win a 42" plasma tv or your ver=
y
> own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Zero-install-devel mailing list
> Zero-install-devel@...
> https://lists.sourceforge.net/lists/listinfo/zero-install-devel
>

Hello Thomas,

On Thu, Sep 22, 2005 at 03:42:03PM +0100, Thomas Leonard wrote:
> Added. I put "Non-root install of system" as "No", as I don't think you
> can use it on any normal default Linux install (i.e, a typical Linux
> user can't use Konvalo without having root access).

it is fair to write "no" in the current reality where Coda client
is not running on an average default installation. Otherwise
Konvalo itself has no relation to the host (and its superuser).

> Could you explain the security system in more detail? I don't quite
> understand coda's system (clog authenticates clients, doesn't it?).

Each user normally has a Coda token for each Coda realm she accesses.
The tokens are to be acquired in advance, by the clog command, and are valid
usually for about 24 hours.

One of the modes of clog is to use an ssl connection to fetch an
"anonymous" token without having an account at the corresponding realm.
At that step the user explicitely verifies the authenticity of the realm
by using a corresponding public key.

Software is as trustworthy as the Coda realm which offers it.
For the moment it is not possible to "mirror" software offered via
Konvalo, and it is unclear whether there will be a real need for that
(or may be that can be totally delegated to the filesystem's internal
optimizations, like (hypothetical) inter-client cache sharing).
So, no need for signing programs themselves.

> Unfortunately, code-client won't install at the moment so I can't test
> it :-(

Do you mean http://www.konvalo.org/pub/coda-client-setup ?
It should work virtually everywhere, except for older or 64-bit Linux kernel.
(I know of one exception - RedHat Enterprise Linux does not include Coda
kernel module, but that's a bug in RHEL).

> - If konvalo.org was using digital signatures, could a user on a clean
>   (but coda-enabled) system access it securely without needing root
>   access?

Sure.

> - If they could, would this affect other users? How do users decide
>   whether to trust a particular key?

A user decides to trust a certain Coda realm, fetches its public key
certificate and stores it somewhere in her home directory, also instructing
clog to fetch the realm's token by default. The latter implies editing
 .codafs/clog/pref file.

Then each "clog" will renew the token for that realm.

Not used yet in practice, though.

Thanks Thomas!
--
Ivan

On Thu, Sep 22, 2005 at 07:21:10PM +0200, Ivan Popov wrote:
[...]
> > Unfortunately, code-client won't install at the moment so I can't test
> > it :-(
> 
> Do you mean http://www.konvalo.org/pub/coda-client-setup ?

No, the debian package:

$ apt-get install coda-client
  coda-client: Depends: libfltk1.1c102 (>= 1.1.6) but it is not installable

I'll try again in a few days.

[ security ]

> Not used yet in practice, though.

Sounds promising. I've listed it as 'in theory' for now.

With the Zero Install filesystem being largely unmaintained now, it
probably makes sense to deprecate it in favour of Konvalo (since they
clearly do exactly the same thing).


-- 
Dr Thomas Leonard		http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1

Thomas Leonard wrote:


[...]

>Done. Could someone check it? As with the last time I tried to
>investigate klik, the site is down! In particular, how does upgrading
>work?
>
>  
>
Thanks a lot. :)

>>I can help you with voluntary spanish translations of your pages (have
>>you considered a license for the documentation in web pages, diagrams
>>and so on?. I would advice you the creativecommons atribution share
>>alike),
>>    
>>
>
>I'll add a license note. CC is what I use for rox.sf.net, so it should
>be fine here too. Do you want to host the translated pages yourself or
>on sourceforge?
>
>
>  
>
I can host the translated pages. I will be making some noise here, as 
soon as I can get some work done on that and will keep you informed on 
the new work.

Cheers,

Offray

Something that isnt mentioned is OS support. Injector works on virtually
any posix OS's that has python. Most of the other package systems listed
only works on Linux, afaik.

---
Lars Hansson

Hi all,

Its nice to see this comparison happen. I think tha this shows an 
academic aproach in 0install, trying to see the "state of art" and 
seeing what is similar and where is a pertinent research and innovation 
going on.

IMHO from the point of view of the user experience, the three systems 
based on the idea of App Dirs (0install, klik and autopackages) have 
nice offerings to the user. Would be nice to have some of the integrated 
in 0install, wich is in my point of view, the best in the architecture.

* When somebody downloads an execute an autopackage app for first time, 
the system get some of the thing needed for all autopackages for being 
installed and that are part of the autopackage system. Would be nice 
that if someone makes "click" on a 0install uri, the system downloads 
and install the components (for example the injector and install it with 
python). I know that one doesnt make click in a uri in 0install but this 
brings me in the following point.

* To have a Web based interface for 0install uri would make a lot of 
sense in the contex of a "Web of software", something similar to Klik. 
So, we have a Web pages with screenshots and text describing apps and an 
uri with some text "click here to execute this app". When the user click 
there, the 0launch program is lauched with the parameters of this URI 
and the all the magic of injector about versions, dependencies and so on 
comes in the escene without any concern for the user.

* Recipes that "migrate" debs and rpms to klik system would be nice for 
0install. I suppose that there is more exigence in packaging in 0install 
fashion that in a klik or even deb/rpm way, so I dont know if this is 
posible.

May be getting this escenary its more a work for being made on the 
browser in the form of a firefox extension that knows how to make sense 
of the 0install uri data and even install injector in "user space", but 
I want to use this thread as an excuse to think in public about the 
subject ;-)

Thanks a lot,

Offray

Lars Hansson wrote:

>Something that isnt mentioned is OS support. Injector works on virtually
>any posix OS's that has python. Most of the other package systems listed
>only works on Linux, afaik.
>
>---
>Lars Hansson
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by:
>Tame your development challenges with Apache's Geronimo App Server. 
>Download it for free - -and be entered to win a 42" plasma tv or your very
>own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
>_______________________________________________
>Zero-install-devel mailing list
>Zero-install-devel@...
>https://lists.sourceforge.net/lists/listinfo/zero-install-devel
>
>  
>