[kwlug-disc] Presentation requests: package formats, repository best practices

[Chris Frey]

On Wed, Dec 16, 2020 at 04:06:06AM -0500, Paul Nijjar via kwlug-disc wrote:
> - Repository best practices: every programming language has its own
>   repository format. Archives like Debian or Ubuntu's seem to be
>   largely obsolete. 

One of the first things I do on a Ubuntu system is uninstall snapd.
Debian / ubuntu repos are definitely not obsolete for me.

I consider using per-programming language repos, or containers, as good
for bleeding edge development or testing, or for deployment of your
own software into your own production or testing environments.
But not good for software releases to other people's systems, unless
you also want to put on your own Debian hat and do as good a job
as they do tracking all security updates and releasing on time.

The per-language package management tools usually leave things
like package signing and automatic verification to the last minute.
Even Debian itself took ages back in the day to get their repositories
signed.  To throw all that away just to run 'pip install' as root on
my system seems like a giant step backwards.  And pip has been around
for a long time!  The amount of hassle I've been through over the past 5
years just to wrestle pip to do only what I want it to do, over multiple
versions and command line changes, is a headache I do not want to repeat
unless I absolutely have to.

Then add things like Go linking everything statically, and it feels
like we're entering the dark ages again.

Who wants to be at the mercy of 15 different vendors to update a
dependency in a shared library that Debian could have fixed in a single
.deb update?

Who wants to turn their laptop/desktop into their phone, with every
app getting security updates on a different schedule, and only if you're
lucky?  Because that's the direction this is heading.

- Chris