Uploaded bymckern
1,853 views

Packaging is the Worst Way to Distribute Software, Except for Everything Else

The document discusses the challenges and complexities of software packaging and distribution, emphasizing that while packaging is crucial for dependency management and installation ease, it often leads to significant frustrations for developers and users alike. It references various packaging formats like RPM and DEB, highlights security concerns with installations, and critiques existing practices while proposing alternatives such as using tools like omnibus and fpm. Ultimately, the author suggests a focus on improving packaging solutions rather than reinventing them, advocating for the use of best practices for customer satisfaction.

Embed presentation

Downloaded 22 times
Packaging is the Worst Way to Distribute Software, except for everything else Ryan McKern | Puppet Labs mckern@puppetlabs.com
Who is this?
What do I do now? Release Engineering at
Maybe you've used our products?
What have I done? System Administration … for 13 years.
I’ve probably been your customer
Caveat Audiens
"Prejudice is a great time saver. You can form opinions without having to get the facts." Attributed to E.B. White, Source unknown
Let's talk about software!
Distributing software sucks Shipping new platforms is so hard Cross-platform packaging is so hard Unpredictable user-space is so hard Moving the packaged bits is so hard
Everything is so hard
Who among us knows this pain? sad@roberto Downloads $ wget -­‐-­‐quiet http:// ftpmirror.gnu.org/gcc/gcc-­‐4.9.1/gcc-­‐4.9.1.tar.bz2 sad@roberto Downloads $ tar xjf gcc-­‐4.9.1.tar.bz2 sad@roberto Downloads $ cd gcc-­‐4.9.1/ sad@roberto Downloads $ ./configure ./configure: line 532: sed: command not found ./configure: line 1371: sed: command not found ./configure: line 1920: sed: command not found ./configure: line 2291: sed: command not found configure: error: cannot run /bin/sh ./config.sub ./configure: line 361: sed: command not found ./configure: line 310: sort: command not found
This was a problem because the customer's time has value
Behold! ryan@animatronio ~ $ sudo rpm -­‐Uvh http://my.mirror.co/pub/ el/7/x86_64/nano-­‐2.3.1-­‐10.el7.x86_64.rpm Retrieving http://my.mirror.co/pub/el/7/x86_64/ nano-­‐2.3.1-­‐10.el7.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:nano-­‐2.3.1-­‐10.el7 ################################# [100%] ryan@animatronio ~ $
What's so great about packages?
Dependency management calculon ~ # apt-­‐get install cmake Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: cmake-­‐data emacsen-­‐common libarchive12 libnettle4 libxmlrpc-­‐core-­‐c3 The following NEW packages will be installed: cmake cmake-­‐data emacsen-­‐common libarchive12 libnettle4 libxmlrpc-­‐core-­‐c3 0 upgraded, 6 newly installed, 0 to remove and 51 not upgraded.
Verification bender ~ # mv /usr/share/man/man8/applydeltarpm.8.gz ~/ bender ~ # rpm -­‐V deltarpm missing d /usr/share/man/man8/applydeltarpm.8.gz bender ~ #
Distribution ryan@tinnytim ~ $ gem push erniebert-­‐0.1.0.gem Pushing gem to BetterThanRubyGems.org... Successfully registered gem: erniebert (0.1.0) ryan@tinnytim ~ $ gem install erniebert Fetching: ffi-­‐1.9.6.gem (100%) Building native extensions. This could take a while... Successfully installed ffi-­‐1.9.6 Fetching: erniebert-­‐0.1.0.gem (100%) Successfully installed erniebert-­‐0.7.1 1 gem installed ryan@tinnytim ~ $
What could be better about packages?
Sometimes shipping bits really is hard
Security is often both the joke and the punchline ouch@killbot ~ $ dpkg-­‐sig -­‐-­‐verify puppet_3.7.1-­‐1puppetlabs1_all.deb Processing ./puppet_3.7.1-­‐1puppetlabs1_all.deb... GOODSIG _gpgbuilder C093A3A56A6E0BEEA2821DD7133957EA11028DF3 1413702159 ouch@killbot ~ $ dpkg-­‐sig -­‐-­‐verify ./puppet_2.7.23-­‐1~deb7u3_all.deb Processing ./puppet_2.7.23-­‐1~deb7u3_all.deb... ouch@killbot ~ $
So, so, so many similar-but-different formats
Let's talk about some popular packaging formats
.rpm • Managed by the recursively named "RPM Package Manager" & yum • cpio compressed binaries & text files • Post-installation tasks are shell scripts
.deb • Managed by dpkg & apt, the "Advanced Package Tool" • ar compressed package with two gzipped tarballs & a small text file • Post-installation tasks are shell scripts
Mac .pkg • Used by Mac OS X, and often delivered in a .dmg (disk image) or a .zip file • xar compressed archive, containing a binary file, two archives, and an XML document • post-installation tasks are still shell scripts
About all those post-install shell scripts Maybe they're not that safe, but the surface area of this problem is big. That doesn't mean we needed "dash"
Ruby .gem, Python .egg, and Node .npm • These are library managers with delusions of grandeur • Reuses the "download, decompress, configure, build, install" patterns, which hasn't got much spam in it • Constant compilation is a bummer
What about... ? #realtalk We only have 45 minutes, and I hope you're going to have some questions for me to evade
What are some alternatives?
Source tarballs
curl | bash
Full Disclosure • Puppet Labs does use the curl|bash technique as an option for our PE agent installation • If you don't trust your own Puppet Master, who do you trust? • (ALL THE COOL KIDS WERE DOING IT)
You just wanted Ruby but you got Cthulhu ~ $ curl -­‐sSL https://get.rvm.io | bash -­‐s -­‐-­‐ -­‐-­‐fhtagn G̺̞ ̯͔̮̫̥ ͊̌͂ a͍͕͓̦͈̯̟̋ r̘̰̟e̓̓ ̦ C̋͋ͬt̂̅̓ t͇̻̩̲̬ ͇̪̹͔̾ ̟ḧ́΅ͭ ̩̿ͭ ͖̙̤ ͭl̅ͦ̓ ̝̙̭ ̗ ṷ ů̥͖ ͍͎͍ ̦̟ n̠̣̭ ̞̻̱̳ ̬ ̣̗ ̑ ̖͎ͩ hͯ ͐ ̝̤̊ ̞̭̳͚̞ ̘ s ̓ ͔̣ ̺̝͇ l̃ͪ͐̎̍ a̅͋̏̀ ̜̯͉ ͈͇̲ ̓̑ ̭̻l̂ͬ̽ ͮ ̙͇̼͍ r̭̂̋ͦ ̻̺̭ ̗͙̃ ̻̤̳ ̰̤ i̅̿̌ͫͣͪ ̺̙̽_̻͚ ̤ s ̮͇ e͍̞̚ ̿̌ͮ̍ ̝͕̳́̽ ̩̺ͅ ͉ r f͈̱͓͓ ̦̰̬̗ ̗̝̼ m̞̗͎͍̾̈͊ o͈̩ͪ̈ ̟̤̻͉ ̃ͨͬ́̉ͩ̓ ̰̝e͍͎h '̼̬̤̋̉̽lͪ ͣ ̗̼ͥ̉R ̱͚̏ ̫͙͓̰͔ ̃̂̂ ͕͓̲ y .̚ ̣̫ ̞͓͈ ̼̪̠s͔̹̞̟t͈̘͕ H͎̯ ̙̱a͍̟͍ͅ ̘̼ u͙͓̙̟r̥̹̫͇͎ ͚ ̻ͅ ̣ ̙̹ ͍̮ t ̻̳̮ h ̩̜̣_ e̠_̱̣͔ ̼ ̺͉U s͈̰̣̥ p̻ a͕̗̣̺ k ͇e̤͍̯ ̻̹͓̬ ̹̤̳a̠͍̪ b̩_ ̪_̥͖͎͍ e̪̻̣̣ ̙̼ ͈̬s͇̮̞ ḻ͇ ̥͖̠ ̹̩̖ ̙̲ a̺͈̹̤͈͉ͅ ̣̮͕̙ ̗ h ̠̟ ̰̜̜l̬̹̭ l̺̞ ̩̳̮̩̰͕ͅ ̻r̮̥̦͍͍ ͈̫ e̳̠̙̘ ̱ u̠͇r̮̣͓ ̘̬̰ t͔͚̳̹̰ ̰͖ n̗͍ ̥͕ ̥͉f̜͚r̯͍ͅ o͈̯̦ ̖ ̳͓̦͔ ¯ͭ̔ ̻͙̫̪̪̖͈ ͔̬ ̣̌ ̠̟̱̒ ͍m̻̟ ̭ ̼̠ ͍̣t͖h͔͉̞ e̬̫̦ ̋͂ ̖͇̼ ̊ͤ̓̋̄̐͌̾ ̩̝̮ ͓ d̰̼̞̤͕ ̤̘̣̭͍̖ ̻͈ ̟̭ ͡l̴l h͞ow l͢ f̕o ́̃̍̆̂̇̒ͫ k̲͖̻̻̆͋ͬ̑ ̩͍̭̙ ̥ k̙̣͕͔ ̘̮̤̻̜̳ r̯̰̱̬̭ͅ ḁ͙ ͔͔̺ ̠ ̗ s̻̱͎ ̙̦̝̗͍͎ ̞̪t̫͉̟̻ ͖ ạ̫ r͔̺ ͍.͔̖͚̺̹ ̰̫ Ǹ`ya͠rĺath̢ote͡p̢ ͟s̀`h ̨ a ̷reve̢r̀` ͑̎ ň̽̌ ḯ΅ ̣ ̃̄̇ͪ̂͑ ͉͔̙̤̪̜ h ̉ͦ ͕t͂̔ ͨ͋̅̿ ͔̆ͫ̓ͫ ̫͖̻ e ͫ͌͛ ͦ͆ͭ̽ ̊ͩͩ̇ͣ ̗ͅd̂ ā̇ͤ͋ͭͨ ̗̰ ͙̗̝͕̩̥ ̟͍ ř nͮͯ̑̿͒ e̍͒̅̄ͣ̀ ͅͅ ̪̠̗͕̥ ͋̋ ͙̹͎̺̠ s̊̈̽̊̌ s̈̌ͪ ̱̳ .̄̑̎ ͔̙̣ ̤̰̟̦̥ ͉̉ ͙̬
curl | bash often assumes • There is no air-gap • Every request is a safe & sane request • That HTTPS is good enough
curl | bash often forgets • >100% Broadband coverage • Mirrors exist • HTTPS secures transport, not content
curl | bash totally ignores • The benefits of reusability • The fragility of shell scripts • The fragility of shells
Security is hard • RVM recently introduced hand-rolled GPG signing* • Thread had 48 comments within a week, almost universally about the implementation • Broke semver, automation, and hearts * https://github.com/wayneeseguin/rvm/issues/3105
Omnibus
Isn't that from Chef? • Sure, but so is Test Kitchen • Builds packages while still controlling the entire dependency stack • Lots of love from users with complicated dependency stacks
Omnibus is one way to skin the entire cat • Abstracts (instead of removes) dependency management • Only builds packages for the platform it's installed on • You're going to want to know Ruby
FPM
Effing Package Managers •General purpose swiss-army knife of package building •Works around a lot of the shortcomings of existing package managers •Jordan Sissel is a SAINT (Shout out to #hugops!)
"Common packaging patterns, a distaste for existing packaging practices, and some hate-driven development yielded FPM! Add some amazing contributions in code, bugs, features, and support from the community and boom we have modern FPM." Jordan Sissel My inbox, Oct 10 2014
Effing FPM • Swiss army knives are rarely the best tool for a given job • General purpose in this case means a lot (~150ish) of command line flags • Still infinitely better than curl | bash
Why so many alternatives? What went wrong?
RPM Packaging can be tough • RPM Spec files are weird • Kind-of M4, kind of Shell, all obtuse • Oh, and kind-of Make; only kind-of • Sort-of competing RPM standards
Deb Packaging can feels like penance • "debian/" directories are outright hostile to man & beast alike • Debian "Helpers" usually don't • dpatch can use unified diffs (sane) or shell scripts (what?!)
Conflation of purpose • Some library managers try to install executables, e.g. gem, pip, npm • Remember when I said "delusions of grandeur"? (Google Image Search was kind of useless here)
But really, I just have a hypothesis! • Developers love solving new problems • Sometimes they confuse their problems for the customer's problems • Maybe packaging isn't a solved problem yet, but it's close
Where do we go from here?
Sometimes the only choices you have are bad ones; but you still have to choose.
TL;DR: this problem is (mostly) solved Stop writing new installers from scratch Give your customers the best packages possible Don't forget Pareto (any number of 80/20 rules)
Thank you You're wonderful. Thank you for letting me rant at you for as long as you did. mckern@puppetlabs.com @the_mckern
Questions?

More Related Content

PDF
Chef Conf 2015: Package Management & Chef
byice799
 
PDF
Infrastructure as code might be literally impossible part 2
byice799
 
PPTX
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
PPTX
BSides Hannover 2015 - Shell on Wheels
byinfodox
 
PPTX
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
byinfodox
 
KEY
Contributing to WordPress core - a primer
bylessbloat
 
PPTX
Dock ir incident response in a containerized, immutable, continually deploy...
byShakacon
 
PDF
XFLTReat: a new dimension in tunnelling
byShakacon
 
Chef Conf 2015: Package Management & Chef
byice799
 
Infrastructure as code might be literally impossible part 2
byice799
 
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
BSides Hannover 2015 - Shell on Wheels
byinfodox
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
byinfodox
 
Contributing to WordPress core - a primer
bylessbloat
 
Dock ir incident response in a containerized, immutable, continually deploy...
byShakacon
 
XFLTReat: a new dimension in tunnelling
byShakacon
 

What's hot

PDF
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
byPablo Godel
 
PDF
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
byPuppet
 
KEY
Migrating big data
bylauraxthomson
 
PDF
CPANci: Continuous Integration for CPAN
byMike Friedman
 
PDF
21st Century CPAN Testing: CPANci
byMike Friedman
 
PDF
Midwest php 2013 deploying php on paas- why & how
bydotCloud
 
PPTX
Re-thinking Performance tuning with HTTP2
byVinci Rufus
 
PPTX
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
PPT
Design Reviewing The Web
byamiable_indian
 
PDF
Just curl it!
byDaniel Stenberg
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
PPTX
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
byDan Kaminsky
 
PDF
Hacking on WildFly 9
byJBUG London
 
ODP
HowTo DR
byPostgreSQL Experts, Inc.
 
PDF
HTTP/3
byDaniel Stenberg
 
PPTX
Obfuscating The Empire
byRyan Cobb
 
PDF
Giving back with GitHub - Putting the Open Source back in iOS
byMadhava Jay
 
PPTX
Pwning with powershell
byjaredhaight
 
PDF
First adventure within a shell - Andrea Telatin at Quadram Institute
byAndrea Telatin
 
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
byPablo Godel
 
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
byPuppet
 
Migrating big data
bylauraxthomson
 
CPANci: Continuous Integration for CPAN
byMike Friedman
 
21st Century CPAN Testing: CPANci
byMike Friedman
 
Midwest php 2013 deploying php on paas- why & how
bydotCloud
 
Re-thinking Performance tuning with HTTP2
byVinci Rufus
 
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
Design Reviewing The Web
byamiable_indian
 
Just curl it!
byDaniel Stenberg
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
byDan Kaminsky
 
Hacking on WildFly 9
byJBUG London
 
HowTo DR
byPostgreSQL Experts, Inc.
 
HTTP/3
byDaniel Stenberg
 
Obfuscating The Empire
byRyan Cobb
 
Giving back with GitHub - Putting the Open Source back in iOS
byMadhava Jay
 
Pwning with powershell
byjaredhaight
 
First adventure within a shell - Andrea Telatin at Quadram Institute
byAndrea Telatin
 

Viewers also liked

PDF
You Can't Build a Team in The Thunderdome
bymckern
 
PPTX
Nakivo Slides 2014 12-17
byNick Luchkov
 
PPT
Linux16 RPM
byJainul Musani
 
PPT
Pregunta Fácil
bylolemanu
 
PDF
Smau Milano 2016 - Fabio Alessandro Locati
bySMAU
 
PPTX
Spacewalk deployment at Fuqua
byAndy Ingham
 
You Can't Build a Team in The Thunderdome
bymckern
 
Nakivo Slides 2014 12-17
byNick Luchkov
 
Linux16 RPM
byJainul Musani
 
Pregunta Fácil
bylolemanu
 
Smau Milano 2016 - Fabio Alessandro Locati
bySMAU
 
Spacewalk deployment at Fuqua
byAndy Ingham
 

Similar to Packaging is the Worst Way to Distribute Software, Except for Everything Else

PDF
Puppet Camp LA 2015: Package Managers and Puppet (Beginner)
byPuppet
 
PDF
Puppet Camp LA 2/19/2015
byice799
 
KEY
20100425 Configuration Management With Puppet Lfnw
bygarrett honeycutt
 
PDF
Package manages and Puppet - PuppetConf 2015
byice799
 
PDF
$ make install
byMarios Isaakidis
 
ODP
Repositories as Code
byKris Buytaert
 
PDF
Packaging Software, Puppet Labs Style - PuppetConf 2014
byPuppet
 
KEY
Ruby and Rails Packaging to Production
byFabio Kung
 
ODP
Solving the Package Problem
byJoe Brockmeier
 
PDF
OSDC 2013 | Software Packaging with RPM Demystified by Andrew Ford
byNETWAYS
 
PDF
Deploying software at Scale
byKris Buytaert
 
PDF
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
byPuppet
 
PDF
20090514 Introducing Puppet To Sasag
bygarrett honeycutt
 
ODP
packaging
byEddy Mulyono
 
PDF
Closing the gap between Distros(devs) and their Users(ops)
byKris Buytaert
 
PDF
Course 102: Lecture 22: Package Management
byAhmed El-Arabawy
 
PDF
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...
byPuppet
 
PDF
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...
byNETWAYS
 
PPTX
Software management in linux
bynejadmand
 
PDF
Joe Damato
byOntico
 
Puppet Camp LA 2015: Package Managers and Puppet (Beginner)
byPuppet
 
Puppet Camp LA 2/19/2015
byice799
 
20100425 Configuration Management With Puppet Lfnw
bygarrett honeycutt
 
Package manages and Puppet - PuppetConf 2015
byice799
 
$ make install
byMarios Isaakidis
 
Repositories as Code
byKris Buytaert
 
Packaging Software, Puppet Labs Style - PuppetConf 2014
byPuppet
 
Ruby and Rails Packaging to Production
byFabio Kung
 
Solving the Package Problem
byJoe Brockmeier
 
OSDC 2013 | Software Packaging with RPM Demystified by Andrew Ford
byNETWAYS
 
Deploying software at Scale
byKris Buytaert
 
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
byPuppet
 
20090514 Introducing Puppet To Sasag
bygarrett honeycutt
 
packaging
byEddy Mulyono
 
Closing the gap between Distros(devs) and their Users(ops)
byKris Buytaert
 
Course 102: Lecture 22: Package Management
byAhmed El-Arabawy
 
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...
byPuppet
 
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...
byNETWAYS
 
Software management in linux
bynejadmand
 
Joe Damato
byOntico
 

Recently uploaded

PDF
Coding Assessment Tools .pdf
byCodexpro
 
PPTX
Custom chat gpt integration services.pptx
byChetu
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
PPTX
Membershipanywhere - Digital Membership Card - USA , Canada, Australia.pptx
bymembershipanywhere
 
PDF
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
PPTX
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
PDF
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
PDF
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
PPTX
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
PDF
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
PPTX
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
PDF
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PPTX
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
PPTX
Computer_Virus_Presentation_With_Slide7.pptx
byHEVISLIVE
 
PPTX
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
Coding Assessment Tools .pdf
byCodexpro
 
Custom chat gpt integration services.pptx
byChetu
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
Membershipanywhere - Digital Membership Card - USA , Canada, Australia.pptx
bymembershipanywhere
 
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
Computer_Virus_Presentation_With_Slide7.pptx
byHEVISLIVE
 
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 

Packaging is the Worst Way to Distribute Software, Except for Everything Else

  • 1.
    Packaging is theWorst Way to Distribute Software, except for everything else Ryan McKern | Puppet Labs mckern@puppetlabs.com
  • 2.
  • 3.
    What do Ido now? Release Engineering at
  • 4.
    Maybe you've used our products?
  • 5.
    What have Idone? System Administration … for 13 years.
  • 6.
    I’ve probably been your customer
  • 7.
  • 8.
    "Prejudice is agreat time saver. You can form opinions without having to get the facts." Attributed to E.B. White, Source unknown
  • 9.
  • 10.
    Distributing software sucks Shipping new platforms is so hard Cross-platform packaging is so hard Unpredictable user-space is so hard Moving the packaged bits is so hard
  • 11.
  • 12.
    Who among usknows this pain? sad@roberto Downloads $ wget -­‐-­‐quiet http:// ftpmirror.gnu.org/gcc/gcc-­‐4.9.1/gcc-­‐4.9.1.tar.bz2 sad@roberto Downloads $ tar xjf gcc-­‐4.9.1.tar.bz2 sad@roberto Downloads $ cd gcc-­‐4.9.1/ sad@roberto Downloads $ ./configure ./configure: line 532: sed: command not found ./configure: line 1371: sed: command not found ./configure: line 1920: sed: command not found ./configure: line 2291: sed: command not found configure: error: cannot run /bin/sh ./config.sub ./configure: line 361: sed: command not found ./configure: line 310: sort: command not found
  • 13.
    This was aproblem because the customer's time has value
  • 14.
    Behold! ryan@animatronio ~$ sudo rpm -­‐Uvh http://my.mirror.co/pub/ el/7/x86_64/nano-­‐2.3.1-­‐10.el7.x86_64.rpm Retrieving http://my.mirror.co/pub/el/7/x86_64/ nano-­‐2.3.1-­‐10.el7.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:nano-­‐2.3.1-­‐10.el7 ################################# [100%] ryan@animatronio ~ $
  • 16.
    What's so great about packages?
  • 17.
    Dependency management calculon~ # apt-­‐get install cmake Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: cmake-­‐data emacsen-­‐common libarchive12 libnettle4 libxmlrpc-­‐core-­‐c3 The following NEW packages will be installed: cmake cmake-­‐data emacsen-­‐common libarchive12 libnettle4 libxmlrpc-­‐core-­‐c3 0 upgraded, 6 newly installed, 0 to remove and 51 not upgraded.
  • 18.
    Verification bender ~# mv /usr/share/man/man8/applydeltarpm.8.gz ~/ bender ~ # rpm -­‐V deltarpm missing d /usr/share/man/man8/applydeltarpm.8.gz bender ~ #
  • 19.
    Distribution ryan@tinnytim ~$ gem push erniebert-­‐0.1.0.gem Pushing gem to BetterThanRubyGems.org... Successfully registered gem: erniebert (0.1.0) ryan@tinnytim ~ $ gem install erniebert Fetching: ffi-­‐1.9.6.gem (100%) Building native extensions. This could take a while... Successfully installed ffi-­‐1.9.6 Fetching: erniebert-­‐0.1.0.gem (100%) Successfully installed erniebert-­‐0.7.1 1 gem installed ryan@tinnytim ~ $
  • 20.
    What could bebetter about packages?
  • 21.
    Sometimes shipping bits really is hard
  • 22.
    Security is oftenboth the joke and the punchline ouch@killbot ~ $ dpkg-­‐sig -­‐-­‐verify puppet_3.7.1-­‐1puppetlabs1_all.deb Processing ./puppet_3.7.1-­‐1puppetlabs1_all.deb... GOODSIG _gpgbuilder C093A3A56A6E0BEEA2821DD7133957EA11028DF3 1413702159 ouch@killbot ~ $ dpkg-­‐sig -­‐-­‐verify ./puppet_2.7.23-­‐1~deb7u3_all.deb Processing ./puppet_2.7.23-­‐1~deb7u3_all.deb... ouch@killbot ~ $
  • 23.
    So, so, somany similar-but-different formats
  • 24.
    Let's talk aboutsome popular packaging formats
  • 25.
    .rpm • Managedby the recursively named "RPM Package Manager" & yum • cpio compressed binaries & text files • Post-installation tasks are shell scripts
  • 26.
    .deb • Managedby dpkg & apt, the "Advanced Package Tool" • ar compressed package with two gzipped tarballs & a small text file • Post-installation tasks are shell scripts
  • 27.
    Mac .pkg •Used by Mac OS X, and often delivered in a .dmg (disk image) or a .zip file • xar compressed archive, containing a binary file, two archives, and an XML document • post-installation tasks are still shell scripts
  • 28.
    About all thosepost-install shell scripts Maybe they're not that safe, but the surface area of this problem is big. That doesn't mean we needed "dash"
  • 29.
    Ruby .gem, Python.egg, and Node .npm • These are library managers with delusions of grandeur • Reuses the "download, decompress, configure, build, install" patterns, which hasn't got much spam in it • Constant compilation is a bummer
  • 30.
    What about... ? #realtalk We only have 45 minutes, and I hope you're going to have some questions for me to evade
  • 31.
    What are somealternatives?
  • 32.
  • 34.
  • 36.
    Full Disclosure •Puppet Labs does use the curl|bash technique as an option for our PE agent installation • If you don't trust your own Puppet Master, who do you trust? • (ALL THE COOL KIDS WERE DOING IT)
  • 37.
    You just wantedRuby but you got Cthulhu ~ $ curl -­‐sSL https://get.rvm.io | bash -­‐s -­‐-­‐ -­‐-­‐fhtagn G̺̞ ̯͔̮̫̥ ͊̌͂ a͍͕͓̦͈̯̟̋ r̘̰̟e̓̓ ̦ C̋͋ͬt̂̅̓ t͇̻̩̲̬ ͇̪̹͔̾ ̟ḧ́΅ͭ ̩̿ͭ ͖̙̤ ͭl̅ͦ̓ ̝̙̭ ̗ ṷ ů̥͖ ͍͎͍ ̦̟ n̠̣̭ ̞̻̱̳ ̬ ̣̗ ̑ ̖͎ͩ hͯ ͐ ̝̤̊ ̞̭̳͚̞ ̘ s ̓ ͔̣ ̺̝͇ l̃ͪ͐̎̍ a̅͋̏̀ ̜̯͉ ͈͇̲ ̓̑ ̭̻l̂ͬ̽ ͮ ̙͇̼͍ r̭̂̋ͦ ̻̺̭ ̗͙̃ ̻̤̳ ̰̤ i̅̿̌ͫͣͪ ̺̙̽_̻͚ ̤ s ̮͇ e͍̞̚ ̿̌ͮ̍ ̝͕̳́̽ ̩̺ͅ ͉ r f͈̱͓͓ ̦̰̬̗ ̗̝̼ m̞̗͎͍̾̈͊ o͈̩ͪ̈ ̟̤̻͉ ̃ͨͬ́̉ͩ̓ ̰̝e͍͎h '̼̬̤̋̉̽lͪ ͣ ̗̼ͥ̉R ̱͚̏ ̫͙͓̰͔ ̃̂̂ ͕͓̲ y .̚ ̣̫ ̞͓͈ ̼̪̠s͔̹̞̟t͈̘͕ H͎̯ ̙̱a͍̟͍ͅ ̘̼ u͙͓̙̟r̥̹̫͇͎ ͚ ̻ͅ ̣ ̙̹ ͍̮ t ̻̳̮ h ̩̜̣_ e̠_̱̣͔ ̼ ̺͉U s͈̰̣̥ p̻ a͕̗̣̺ k ͇e̤͍̯ ̻̹͓̬ ̹̤̳a̠͍̪ b̩_ ̪_̥͖͎͍ e̪̻̣̣ ̙̼ ͈̬s͇̮̞ ḻ͇ ̥͖̠ ̹̩̖ ̙̲ a̺͈̹̤͈͉ͅ ̣̮͕̙ ̗ h ̠̟ ̰̜̜l̬̹̭ l̺̞ ̩̳̮̩̰͕ͅ ̻r̮̥̦͍͍ ͈̫ e̳̠̙̘ ̱ u̠͇r̮̣͓ ̘̬̰ t͔͚̳̹̰ ̰͖ n̗͍ ̥͕ ̥͉f̜͚r̯͍ͅ o͈̯̦ ̖ ̳͓̦͔ ¯ͭ̔ ̻͙̫̪̪̖͈ ͔̬ ̣̌ ̠̟̱̒ ͍m̻̟ ̭ ̼̠ ͍̣t͖h͔͉̞ e̬̫̦ ̋͂ ̖͇̼ ̊ͤ̓̋̄̐͌̾ ̩̝̮ ͓ d̰̼̞̤͕ ̤̘̣̭͍̖ ̻͈ ̟̭ ͡l̴l h͞ow l͢ f̕o ́̃̍̆̂̇̒ͫ k̲͖̻̻̆͋ͬ̑ ̩͍̭̙ ̥ k̙̣͕͔ ̘̮̤̻̜̳ r̯̰̱̬̭ͅ ḁ͙ ͔͔̺ ̠ ̗ s̻̱͎ ̙̦̝̗͍͎ ̞̪t̫͉̟̻ ͖ ạ̫ r͔̺ ͍.͔̖͚̺̹ ̰̫ Ǹ`ya͠rĺath̢ote͡p̢ ͟s̀`h ̨ a ̷reve̢r̀` ͑̎ ň̽̌ ḯ΅ ̣ ̃̄̇ͪ̂͑ ͉͔̙̤̪̜ h ̉ͦ ͕t͂̔ ͨ͋̅̿ ͔̆ͫ̓ͫ ̫͖̻ e ͫ͌͛ ͦ͆ͭ̽ ̊ͩͩ̇ͣ ̗ͅd̂ ā̇ͤ͋ͭͨ ̗̰ ͙̗̝͕̩̥ ̟͍ ř nͮͯ̑̿͒ e̍͒̅̄ͣ̀ ͅͅ ̪̠̗͕̥ ͋̋ ͙̹͎̺̠ s̊̈̽̊̌ s̈̌ͪ ̱̳ .̄̑̎ ͔̙̣ ̤̰̟̦̥ ͉̉ ͙̬
  • 38.
    curl | bashoften assumes • There is no air-gap • Every request is a safe & sane request • That HTTPS is good enough
  • 39.
    curl | bashoften forgets • >100% Broadband coverage • Mirrors exist • HTTPS secures transport, not content
  • 40.
    curl | bashtotally ignores • The benefits of reusability • The fragility of shell scripts • The fragility of shells
  • 41.
    Security is hard • RVM recently introduced hand-rolled GPG signing* • Thread had 48 comments within a week, almost universally about the implementation • Broke semver, automation, and hearts * https://github.com/wayneeseguin/rvm/issues/3105
  • 42.
  • 43.
    Isn't that fromChef? • Sure, but so is Test Kitchen • Builds packages while still controlling the entire dependency stack • Lots of love from users with complicated dependency stacks
  • 44.
    Omnibus is oneway to skin the entire cat • Abstracts (instead of removes) dependency management • Only builds packages for the platform it's installed on • You're going to want to know Ruby
  • 45.
  • 46.
    Effing Package Managers •General purpose swiss-army knife of package building •Works around a lot of the shortcomings of existing package managers •Jordan Sissel is a SAINT (Shout out to #hugops!)
  • 47.
    "Common packaging patterns,a distaste for existing packaging practices, and some hate-driven development yielded FPM! Add some amazing contributions in code, bugs, features, and support from the community and boom we have modern FPM." Jordan Sissel My inbox, Oct 10 2014
  • 48.
    Effing FPM •Swiss army knives are rarely the best tool for a given job • General purpose in this case means a lot (~150ish) of command line flags • Still infinitely better than curl | bash
  • 49.
    Why so manyalternatives? What went wrong?
  • 50.
    RPM Packaging can be tough • RPM Spec files are weird • Kind-of M4, kind of Shell, all obtuse • Oh, and kind-of Make; only kind-of • Sort-of competing RPM standards
  • 51.
    Deb Packaging canfeels like penance • "debian/" directories are outright hostile to man & beast alike • Debian "Helpers" usually don't • dpatch can use unified diffs (sane) or shell scripts (what?!)
  • 52.
    Conflation of purpose • Some library managers try to install executables, e.g. gem, pip, npm • Remember when I said "delusions of grandeur"? (Google Image Search was kind of useless here)
  • 53.
    But really, Ijust have a hypothesis! • Developers love solving new problems • Sometimes they confuse their problems for the customer's problems • Maybe packaging isn't a solved problem yet, but it's close
  • 54.
    Where do wego from here?
  • 55.
    Sometimes the onlychoices you have are bad ones; but you still have to choose.
  • 56.
    TL;DR: this problemis (mostly) solved Stop writing new installers from scratch Give your customers the best packages possible Don't forget Pareto (any number of 80/20 rules)
  • 57.
    Thank you You'rewonderful. Thank you for letting me rant at you for as long as you did. mckern@puppetlabs.com @the_mckern
  • 58.