Thread

Tarballs can indeed be fine, most folx not raised by wolves will checksum em at bare minimum, and are likely already capable of simple build for their os.

That's hard to say. I've work with some real noobs over the years. Tarballs can still feel very foreign, and checksums aren't even included for many public projects. That said many very big projects ship setup scripts, with direct bash invoke syntax so you can assume they don't expect their audience to verify their work. Compare any of that to the Windows user and my customers get uncomfortable with a .zip archive. They expect to run signed exes or msi installers. At a minimum you can still ship a self-contained zip file and it can just work without any extra tools or scripts.

checksums are overrated. they're usually supplied next to the same bytes that they're protecting, so anything that can modify one can modify the other. gpg signatures, checksums published on nostr – those are okay

I agree re: pgp sigs but getting normies to do so? Blasphemy.

Why not containers?

Specifically that at some point they became the solution to distributing software, because everything else sucks so bad. It just seems like it's a huge failure that we ship nearly an entire user space environment just to make apps work reliably. And it's really only a Linux problem... Speaking specifically to the distribution component.

Maybe if we had "modular" containers that were able to have individual modules, but at that point it could be on the rootfs. I am mostly thinking from a server app perspective though. Otherwise, I agree.

I could see that, but I still think distros can do better. I think, in theory, nix has come the closest maybe? But we have a problem with repositories, and distribution too. Nix does seem to be able to support declaring like abstract resources such as http tarballs, but that's the limit of which I've interacted with it. It's also nowhere near mainstream yet. In the "datacenter" I agree. I think we _should_ be using containers for many other reasons, and I almost exclusively use them for server software. But for everything else it's a shame. That said plenty of services until _very_ recently might only offer container, or the setup was so manual and painful it sucked. Have you ever used Obtainium on android? Imagine being able to distribute your app by putting a signed tarball on an http server, and users could poll it to fetch updates. No special repositories, no permission, straight from developers or wherever they distribute (lets be honest it's mostly GitHub releases). And as a user I don't need permission from anyone else to "Obtain" a developers packages.

Ideally a self describing and mostly self contained tarball (excluding obvious system dependencies), but otherwise it would be good.

Like this: https://github.com/megastep/makeself. But that still doesn't solve the versioning and obtaining part.

PGP signatures should be 100x easier than checksums for normies on Windows with gpg4win. It's a simple install, and then you just download the .sig file next to the package and double click it. No terminal needed. I think its as simple as sums on Linux as well. Sums are only good for ensuring the file was downloaded as it was advertised imo. Basically useless but better than nothing, and helpful for verifying corrupted or partial downloads.