From c76a380128ea2ec9b981cc50e2d37a151e0e8104 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 19 Mar 2024 07:06:03 +0000 Subject: [PATCH] "Install everything" in Ubuntu? --- content/ubuntu-install-everything.md | 51 ++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 content/ubuntu-install-everything.md diff --git a/content/ubuntu-install-everything.md b/content/ubuntu-install-everything.md new file mode 100644 index 00000000..7ac08e54 --- /dev/null +++ b/content/ubuntu-install-everything.md @@ -0,0 +1,51 @@ +Title: "Install everything" in Ubuntu? +Slug: ubuntu-install-everything +Date: 2024-03-19 07:05:27 +00:00 +Category: ubuntu +Tags: launchpad, planet-debian, planet-ubuntu + +On Mastodon, the +[question](https://mastodon.social/@Hacksaw/112118031428498349) came up of +how Ubuntu would deal with something like the [npm install +everything](https://boehs.org/node/npm-everything) situation. I replied: + +> Ubuntu is curated, so it probably wouldn't get this far. If it did, then +> the worst case is that it would get in the way of CI allowing other +> packages to be removed (again from a curated system, so people are used to +> removal not being self-service); but the release team would have no +> hesitation in removing a package like this to fix that, and it certainly +> wouldn't cause this amount of angst. +> +> If you did this in a [PPA](https://help.launchpad.net/Packaging/PPA), then +> I can't think of any particular negative effects. + +OK, if you added lots of build-dependencies (as well as run-time +dependencies) then you might be able to take out a builder. But Launchpad +builders already run arbitrary user-submitted code by design and are +therefore very carefully sandboxed and treated as ephemeral, so this is +hardly novel. + +There's a lot to be said for the arrangement of having a curated system for +the stuff people actually care about plus an ecosystem of add-on +repositories. PPAs cover a wide range of levels of developer activity, from +throwaway experiments to quasi-official distribution methods; there are +certainly problems that arise from it being difficult to tell the difference +between those extremes and from there being no systematic confinement, but +for this particular kind of problem they're very nearly ideal. (Canonical +has tried various other approaches to software distribution, and while they +address some of the problems, they [aren't obviously +better](https://popey.com/blog/2024/03/exodus-wallet-part-three/) at helping +people make reliable social judgements about code they don't know.) + +For a hypothetical package with a huge number of dependencies, to even try +to upload it directly to Ubuntu you'd need to be an Ubuntu developer with +upload rights (or to go via Debian, where you'd have to clear a similar +hurdle). If you have those, then the first upload has to pass manual review +by an archive administrator. If your package passes that, then it still has +to build and get through +[proposed-migration](https://wiki.ubuntu.com/ProposedMigration) CI before it +reaches anything that humans typically care about. + +On the other hand, if you were inclined to try this sort of experiment, +you'd almost certainly try it in a PPA, and that would trouble nobody but +yourself. -- 2.30.2