Re: Q to all candidates: what is the long-term role of traditional Linux distributions?

To: Sam Hartman <hartmans@debian.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>, debian-vote@lists.debian.org
Subject: Re: Q to all candidates: what is the long-term role of traditional Linux distributions?
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 3 Apr 2019 13:22:48 +0100
Message-id: <[🔎] 23716.42392.726393.764900@chiark.greenend.org.uk>
In-reply-to: <[🔎] tsllg0rvhps.fsf@suchdamage.org>
References: <[🔎] 20190402222256.sehf4l7zr4oi2p6v@srcf.ucam.org> <[🔎] tsllg0rvhps.fsf@suchdamage.org>

Sam Hartman writes ("Re: Q to all candidates: what is the long-term role of traditional Linux distributions?"):
> Debian is great at giving you all the parts of what you need to do that
> aren't your primary focus.

This is a great answer.

> I think packaging free software even from languages that have their own
> system is valuable in a lot of ways.  First, we have a way of expressing
> dependencies that cross language boundaries well.  We have a consistent
> approach to validating licensing that seems better than a number of
> other repositories in terms of respecting the DFSG and/or more generally
> the four freedoms.

We have had a lot of discussions in Debian about language-specific
package managers, and we seem to have some heartache or something on
this topic.  Personally I have a somewhat different take.

Compared to (say) NPM or crates.io,

 * Debian has a much better answer to the problem of upstream malware
   (including the risk of random hostiles taking over packages).

 * Debian provides clear Freeness guarantees.

 * Debian provides much longer-term stability.

 * Using Debian packages means a much lower risk of random shit going
   wrong simply because the set of online services, public keys,
   etc. you are relying on is much smaller and more cohesive.

 * Debian also, sometimes serendipitously, provides a filter which
   means that if you're lucky you don't have to wade through as much
   crap to find a thing to do what you wanted.

Serious failures due to language-specific package managers - which
place far too much trust in their ill-curated or not-at-all-curated
archives - have become so common that they are not even news any more.

The worst language-specific package managers encourage really poor
practices.  Read this excellent article where someone familiar with
incident analysis and remediation tries to look at recent NPM failure
from the pov of Serious People Trying To Stop Bad Shit:
  https://www.hillelwayne.com/post/stamping-on-eventstream/

(Additionally, Debian provides a standardised format so you don't need
to learn language-specific tools and so that software from different
languages can be integrated.  Our packaging tooling makes that easy.)


So IMO the benefits of Debian are all *really valuable*.  But they are
also *work*.  Ie, those benefits are the result of the hard work of
our language-specific packaging teams.

When that work is not done, indeed, users have to fall back on random
upstream stuff.  


I am all for making it easier for language-specific packaging teams to
do their curation work.

But I don't think it is a problem *for Debian* that there are systems
which look more convenient until you discover that are a tyre fire and
now you are on fire too.  I don't think we should emulate them.


One thing that would make this a lot easier would be if we could draw
more users into this curation more easily.  Of course curation is a
task requring authority, so will have to depend on status or review.

But it would be nice if, say, after I have done my own techopolitical
review of some thing I found on crates.io, I as a DD could push some
button to say "I approve of this thing with its current
maintainership" and it would be automatically shoveled into sid.

As it is, I would have to learn a lot about not just Rust but also
Debian Rust packaging, and join the Rust packaging team, and so on.

I wouldn't mind promising to keep an eye on the updates on crates.io
and saying yay/nay to them.  Provided that saying yay or is very
simple and doesn't involve wrestling a pile of strange machinery.

In a recent project of mine that was too big a yak to add to my herd,
which means that Debian missed the opportunity to capture the value of
my review work.

I think that this problem could and therefore should be solved in a
way which generalises to multiple language-specific package managers.


> And yet people are spending a lot of time curating modules from
> languages that have their own repositories.  Yes, I'm sure this work has
> value.  I think we should do a better job of letting people know that we
> recognize the value and articulating to ourselves and our users what
> that value is.

I agree that we need to do more promotion of this aspect of Debian's
value.


Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

References:
- Q to all candidates: what is the long-term role of traditional Linux distributions?
  - From: Matthew Garrett <mjg59@srcf.ucam.org>
- Re: Q to all candidates: what is the long-term role of traditional Linux distributions?
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Re: Are Martin and Sam's platforms equivalent?
Next by Date: Re: Q to all candidates: about advancing Debian (as organisation) while not being DPL
Previous by thread: Re: Q to all candidates: what is the long-term role of traditional Linux distributions?
Next by thread: Re: Q to all candidates: what is the long-term role of traditional Linux distributions?
Index(es):
- Date
- Thread