WingNews logo WingNews
top | item 38470000

(no title)

puppetmaster | 2 years ago

The aquilles heel of package managers isn´t consistency, but lack of packages.

I appreciate the benefit of distro-agnostic package management, but unless you rely on a portable toolchain, or distribute statically linked binaries exclusively, we fall short from the panacea of portability (many other options available, yes, but packages are needed!)

I have personally leveraged pkgin[1] for consistency. I can simply drop pkgsrc[2] in my home directory and use the same tools in *bsds, smartos, linux, macos and cheese.

[1]https://pkgin.net/ [2]https://www.pkgsrc.org/

edit: being more specific

discuss

order

azathothas|2 years ago

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns: 1. Yes, no portable toolchains or any other kinds of dependencies are required.

2. Each & every single binary is statically compiled. This is the core at philosophy of Hysp. A single binary that runs anywhere.

3. Currently, there's about 200 pkgs for x86_64 & arm64 each. The upstream source (https://github.com/Azathothas/Toolpacks) has over 400 for x86_64 & 300+ for arm64, which will slowly be added to Hysp-Pkgs.

4. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.

puppetmaster|2 years ago

Hey, thanks for replying! I had missed the static binary detail, and it is by far the most sensible solution.

Regarding the packages, those are very respectable numbers... But who is maintaining them? It takes a lot of effort to maintain a repo up to date, with patches both functional and security related. This is in most distros a full time job for a group of people. For comparison pkgsrc has 19444 packages, and it takes a substantial effort to keep up to date.

Regarding 4... I am not sure about your angle there... "Running random binaries" is risky. Technically hysp is a random binary itself, from a random source. I don´t know who you are, and even in that case any certification of authority is best efforts. You can´t certify that the code you built has not been compromised... This is a tough problem, good ideas are still needed!

OTOH, maybe you could leverage the work of the pkgsrc team to increase the number of available packages, traceability, and portability! Join forces! Synergy!!!!

NewJazz|2 years ago

I wouldn't balk at a pure static binary distro. It could have its niche.

puppetmaster|2 years ago

Some people would argue that there are few differences between a container and a static binary...

And of course, there is also https://sta.li/