Re: Fedora based MeeGo = NoGo!
 

Well, as we are talking about _package_ formats, RPM-format does have that one technical advantage over deb-format, that it supports GPG signatures embedded in the package itself (or actually the package data to be embedded in a signature).

In these days of hacks, cracs, Trojans and viruses it is an important feature in the package format. And some people here have asked about technical points why RPM would be better than deb-package format. I remember in LSB this (pretty much) same conversation was kept, when the official LSB package format was chosen and deb-format's missing integrity and authenticity was a one point.

Well of course, one can zip or tar both somepackage.deb and somepackage.dsc to one file, put in on a USB-stick and install keeping care of integrity and authenticity manually, but it is not standardised way and "atomicity" is at worse level, than having GPG-signed RPM-package on the stick.

Would think it is easier and alot less work to port Debian ARM-repository packages to RPM-packages, than to try to port Meego-system to be compatible with Debian-system, as some people are trying.

Also zypper and delta packages is a good improvement compared to Maemo.

Re: Fedora based MeeGo = NoGo!
 

That's not a functional difference. We've seen in the number of pages above people jumping over each other because something needs two commands in one system and one in the other.

Occam's razor also gives the simplest (of many) reasons why Debian never moved to such a single-file scheme - there simply never was a serious need for it. 99.99% (yes, I made that number up, feel free to challenge :) ) of .debs is done via a repository (which also handles authenticity and integrity checks, too). If you're in the remaining 0.01% and care so dearly about GPG signatures, and you want to do everything manually, you will have to survive copying two files instead of one (the horror !).

I must say I can't remember whether this was *before* or *after* Debian transitioning to apt-secure, can you shed light on that ?

That is much closer to what is happening, but again, has little to do with the merits of either rpm or deb.

There is a thing called debdelta which can provide similar functionality but never got too popular in mainstream distros. As for zypper, I have not used it enough to make an objective comparison to apt(itude).

Re: Fedora based MeeGo = NoGo!
 

Not wanting to make a fuss over such a trivial feature (very, very easily implemented), but...

I can see how single file .rpm with GPG signatures (ala Authenticated signed .msi packages) would be of interest to propietary/binary distributed/pay-per-download software.

Re: Fedora based MeeGo = NoGo!
 

Okay, then here come the more heavy argumentation (just googled this out from a 2003 post) :)

Technically, our single distribution file is the .install file we already have (how many files actually get touched behind the scenes is irrelevant, and via repository verification it DOES provide authenticity). It is really important to able to *invalidate* packages, otherwise you're trading security for convenience.

EDIT: Before we start another spiral - I'm not advocating .deb here. I'm saying neither format provides such a functional difference that would mandate a change of format alone. If you like RPM, the change is cool. If you like DEB, it's not cool. But remember, the change is very likely not because of the reasons *YOU* (dis)like the format in question.

Re: Fedora based MeeGo = NoGo!
 

Yes, it makes sense for your average GNU/Linux distribution, but in the pay-per-download propietary scenario I was talking about (think Ovi Store), the ability to "invalidate" packages you paid for would be (at best) seen as some form of DRM. You paid for version X, the signature's only semantic really is "at some point I released this program P, version X". You're free to store or send it to the user and its integrity won't be compromised.

I'm not advocating any format here either since I know that any plausible difference between the two would be easily "resolved" in _hours_ if anyone really cared about it, but the point is that I see that at least someone (B. Gates and his minions for a start) decided this concrete feature was a good idea.

Re: Fedora based MeeGo = NoGo!
 

Umm, those are two (three actually) separate issues. Authenticity != validity != enforcement. Consider that a package you have in package form is discovered to have a serious flaw, trojan, etc. Now, with the single file validation mechanism we're comparing to, there is no way to warn people that there is something wrong, the best you can do is remove your file from the official distribution channel and hope the mirrors/downloaded versions die out soon. The alternative is to invalidate ALL packages signed with a particular key (also not good). With a release control file, you can say 'that is no longer valid for whatever reason'. Note that this a) does not mean that the old packages are no longer accessible, and b) does not mean that you cannot install those packages. Enforcement of those two things would be something completely different (THEN we would be in DRM land).

Re: Fedora based MeeGo = NoGo!
 

Integrity and authenticity never guarantees some package is clean from Trojans, but it does tell where to start to look for a guilty person.
I would prefer every software developer (or group) would sign its own software, and repository maintainers then once more the whole repositories.

It is inconvenient that every time some 3rd party company or community is releasing a software package or an update, it has to setup a repository. With RPM-package format, it can just sign its own RPM packages and deliver them how it chooses, and have its GPG public key available in key-servers.

I'm AM advocating LSB.
LSB is a good thing to try standardize Linux systems (as is opendesktop.org), and the choice for the package format has been made there long ago.

Re: Fedora based MeeGo = NoGo!
 

Most major distributions work this way, Debian itself having *very* strict rules of validating authenticity and origin. In fact, maemo.org worked this way until a while back (but that's a different story)

You can hardly bring up convenience in the same context as security. A 'preferred level of security and convenience' is just that - a preference. Also, please don't twist my words - you don't HAVE to set up a repository, it's just the recommended way (for a reason!). A company that does fire-and-forget packages isn't instilling trust.

You CAN be a LSB compliant without being RPM based. Let's not mix politics or twist standards to fit our purposes and desires. It's about interoperability, not forcing particular architectural choices.

Re: Fedora based MeeGo = NoGo!
 

Attila77, I really, really want to thank you for injecting some well-needed sanity into this discussion. I see RPMMaster in your future (as well as council representative). ;)

Re: Fedora based MeeGo = NoGo!
 

Thanks. I just wish we had better communication than the terse 'it will use rpm' that leaves plenty of vacuum for speculation, allowing for the often religious package format wars to reemerge. It could have been worse though, if they specified it uses VI or emacs as the official editor :)