--- /dev/null
+Title: "Install everything" in Ubuntu?
+Slug: ubuntu-install-everything
+Date: 2024-03-19 07:05:27 +00:00
+Category: ubuntu
+Tags: launchpad, planet-debian, planet-ubuntu
+
+On Mastodon, the
+[question](https://mastodon.social/@Hacksaw/112118031428498349) came up of
+how Ubuntu would deal with something like the [npm install
+everything](https://boehs.org/node/npm-everything) situation. I replied:
+
+> Ubuntu is curated, so it probably wouldn't get this far. If it did, then
+> the worst case is that it would get in the way of CI allowing other
+> packages to be removed (again from a curated system, so people are used to
+> removal not being self-service); but the release team would have no
+> hesitation in removing a package like this to fix that, and it certainly
+> wouldn't cause this amount of angst.
+>
+> If you did this in a [PPA](https://help.launchpad.net/Packaging/PPA), then
+> I can't think of any particular negative effects.
+
+OK, if you added lots of build-dependencies (as well as run-time
+dependencies) then you might be able to take out a builder. But Launchpad
+builders already run arbitrary user-submitted code by design and are
+therefore very carefully sandboxed and treated as ephemeral, so this is
+hardly novel.
+
+There's a lot to be said for the arrangement of having a curated system for
+the stuff people actually care about plus an ecosystem of add-on
+repositories. PPAs cover a wide range of levels of developer activity, from
+throwaway experiments to quasi-official distribution methods; there are
+certainly problems that arise from it being difficult to tell the difference
+between those extremes and from there being no systematic confinement, but
+for this particular kind of problem they're very nearly ideal. (Canonical
+has tried various other approaches to software distribution, and while they
+address some of the problems, they [aren't obviously
+better](https://popey.com/blog/2024/03/exodus-wallet-part-three/) at helping
+people make reliable social judgements about code they don't know.)
+
+For a hypothetical package with a huge number of dependencies, to even try
+to upload it directly to Ubuntu you'd need to be an Ubuntu developer with
+upload rights (or to go via Debian, where you'd have to clear a similar
+hurdle). If you have those, then the first upload has to pass manual review
+by an archive administrator. If your package passes that, then it still has
+to build and get through
+[proposed-migration](https://wiki.ubuntu.com/ProposedMigration) CI before it
+reaches anything that humans typically care about.
+
+On the other hand, if you were inclined to try this sort of experiment,
+you'd almost certainly try it in a PPA, and that would trouble nobody but
+yourself.
~cjwatson / blog.git / commitdiff