Re: [tlug] Ubuntu Trusty (14.04) issues

["Stephen J. Turnbull" <stephen@example.com>]

Raymond Wan writes:

 > I wonder if there is any Linux distribution that allows you to keep
 > your system at one version but upgrade software like your web browser
 > in an isolated way such that all of its dependencies are put somewhere
 > so as not to disturb the rest of the system?

Python does (virtualenv allows you to do such installations flexibly
for *any* Python app), but I don't know of any Linux distro that
allows multiple copies of dependencies.

However, in my experience Debian's (apt's) ability to pick a virtual
distro (stable, testing, unstable) plus specify some packages in a
different distro, and others to be pinned, works well (at least with
stable-by-default, testing-by-request).  The problem is the UI --
while Real Users prefer to write directly into text files in /etc, of
course, you need to have flexible and specific access to the
dependency graph so you don't wedge apt completely.  This is missing
(and really should be part of the config editor).  aptitude does do
the work for you at install time, but it's no help configuring these
things.

Gentoo's package.mask and package.use in theory should make this
possible, but in practice Gentoo is just a big mess from the user's
point of view.  I guess it's possible to stay on top of it with
sufficient effort, but that's exactly what this thread is about
avoiding. :-)

 > Though this goes against software development, it would make
 > upgrading far more optional!  :-)

The problem with the willy-nilly install-your-own-dependencies
approach is, of course, security.  To implement such a system
securely, you would need to have a concept of security upgrades, and a
database index of dependencies so that packages which depend on a
particular, now known to be insecure, other package would upgrade that
one locally.  But this is a *big* hairball.

 > Ironically, I think Windows does or did this.  If I recall, when you
 > install a new program, it copies a heap of DLLs without really
 > checking if you had it already.  I vaguely recall having the same DLL
 > multiple times in the same system.

Sometimes they do, sometimes they overwrite the system DLL. :-(  The
latter doesn't happen so much any more, but the former means that if
the app goes out of support you are completely exposed to old security
issues indefinitely.  You pays your money, and then you lose.

Regards,
YAS (Yet Another Steve)