The Zero Install system removes the need to install software or libraries by running all programs from a network filesystem. The filesystem in question is the Internet as a whole, with an aggressive caching system to make it as fast as (or faster than) traditional systems such as Debian’s APT repository, and to allow for offline use. It doesn’t require any central authority to maintain it, and allows users to run software without needing a root password. In this editorial, we will see how software is accessed via Zero Install and how we can distribute our own programs through it.
Zero Install and the Web of Software
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I personally don’t think that is a good idea. Looking at friends’ computers I always wonder what they need all the junk they install for.
“Speed
Doing a “dist-upgrade” to keep up with the latest security fixes and features downloads the full contents of every updated package instead of just updating the index files and refetching the software on demand.”
If you wanted to upgrade just one package, you could always do “apt-get install <<package to be upgraded>>”. But just how is “refetching and caching” faster than downloading and installing? Especially when upgrading a whole system like “dist-upgrade” does?
And this is no solution for modem users. They would still need to “fetch and cache” (download) all the required packages. So the amount of data being transferred from a server to the client is magically reduced by 0install?
“Bugs in the install and uninstall scripts can prevent the system from working or even damage important data.”
How can this not happen with 0install? Of course it wouldn’t be able to break the system. But single apps could still be broken.
I guess the whole point of 0install is to let a user install software without the need of a system administrator or a system administrator’s skills. But where would this be wanted?
Think about an office, some users 0install openoffice, others 0install gnumeric. Both users need to work on spread sheets made with Excel. Let’s say both programms exhibit some bugs (and they do, in real life there is no perfect bug free software). And further look at how both apps support the Excel file format. OpenOffice’s support is just a tad better (like support for coments on table cells). But neither is quite perfect. Does this all read like a chaos in the making? Does this make administrators cringe in fear? I would think so.
My opinion is 0install would have no place in a corporate enviroment where homogenity is more important than users whims and preferences.
And for the average home computer user? I won’t speculate on this. I’m not an average home computer user, learning to work with and setting up my computers and OSs is fun for me.
This is very interesting, but what happens if the network is down? I like to have my apps with me.
This will revolutionize the way software is delievered.
And to think we have been using this method for years with our web browser.
This is very interesting, but what happens if the network is down? I like to have my apps with me.
you can still use the program because its been cached. Since the program is cached you still have the apps with you.
My opinion is 0install would have no place in a corporate enviroment where homogenity is more important than users whims and preferences.
If homogenity is so important then we would still be using thin-client.
This amounts to an automatic update system. If the programs are cached on my hard drive, they will take up the same space as a traditional installation.
How often would you need to refresh the cache? Only when the program authors release an update.
The objection to automatic updates is that new versions of programs are often buggy. It is wise to wait until some other users have reported on a new version before installing it. With this system you would not have that option. A fatal bug in an upgrade of Quark XPress would bring the whole publishing industry to a halt.
he isn’t powering the gestapo-like national id card database.
You mean like Sun’s java (smart) card.
If I cannot reach the network to cache a program for the first time? IMHO the best install system I’ve seen is the one used by ROX, the apps directories, like MacOS X bundles, you don’t install anything throught the system, you simply drag the application directory in one place and the double click on it, in ROX if the app isn’t compiled it will compile it automagically.
Probably is not suitable for the whole system, but for precompiled apps (like commercial ones for example) should work very well, everything needed to run the app could be bundled only in the application dir without external dependencies
RE: DrLinux (IP: —.dslextreme.com) – Posted on 2003-12-13 10:30:02 and Roy Batty (IP: —.107.147.31.charter-stl.com) – Posted on 2003-12-13 10:20:50
he isn’t powering the gestapo-like national id card database.
You mean like Sun’s java (smart) card.
Funny you bring up the Java card considering that facts given definately don’t represent the conspiracy theorists that are bought up on a regular basis.
It reminds me of right wing poiticians. They scream about big government and yet they pass laws under the pre-text of taking the “moral high ground”, never mind that fact that these fat republicans have a couple of misstresses on the various cities for their “comfort” and “company”, when they go back home they beat up their wife whilst they disown their son who has just come out of the closet.
Funny that we also have people here quite happy to submit their person information to a large corporation and yet it never actually occurs to them that this information is sold, exchanged and horse-swapped for other pieces of personal information.
Stop comming up with conspiracy theories and stick to the topic at hand. If there are any breeches in the public service, it is due to poor legislation NOT the fact that the information is there.
I think that you are starting to dodge about what mathers, let’s stay focus…
“Instead of copying software from the Web onto our computers, we cache it. It’s a faster, easier to understand, and safer way to get software, suitable for both broadband and dialup users.”
How may this system, 0install, may let you use software if you don’t copy it to your computer? Theres is no Scotty to beam it up to our pc. And if it really copy the software, as i think it did, how may this be suitable for dial-up users ?
But anyway, this is an ingenious e curious concept…
If you wanted to upgrade just one package, you could always do “apt-get install <<package to be upgraded>>”. But just how is “refetching and caching” faster than downloading and installing? Especially when upgrading a whole system like “dist-upgrade” does?
Because typically when you dist-upgrade you download a whole load of stuff you won’t actually run until the next dist-upgrade, just because you want the bug-fixed version available if you do happen to run it.
The objection to automatic updates is that new versions of programs are often buggy. It is wise to wait until some other users have reported on a new version before installing it. With this system you would not have that option. A fatal bug in an upgrade of Quark XPress would bring the whole publishing industry to a halt.
Well, as the article explains, all previous versions are also available; running the latest version is merely the default action. It’s a bit harder with libraries, but it’s just an interface detail: how do you say “Run Gimp with GTK-2.0.1”? See 0divert and friends for one option.
This is very similar to Java Web Start
It’s not in the slightest bit similar to Java Web Start, which doesn’t use filing system plugins to make the thing transparent. 0install operates at a much lower level than JWS does.
Agreed, sounds very similar to Java Web Start, so no groundbreaking ideas here. However, I would like to see how this unfolds.
http://java.sun.com/products/javawebstart/
i wonder what the chances of gnome/fedora/kde/etc adopting this are?
umm, there needs to be a system to addopt first.
Isn’t this only about the 1,547th time that this has been visited? Acan we say “Thin client”? or “Diskless workstation”?, or “Java Web Start”?
Give it up. No one wants to run their applications over the network. It is slow, unreliable, and unsafe. And it doesn’t do you a lot of good when you are 40,000 feet over the middle of the Atlantic Ocean on a business trip.
Oh yeah… And it is just a stepping stone on the path to the point where software vendors can force subscription based software down our throats, so that we have to pay monthly subscription fees to use our word processor, just like we have to pay monthly subscription fees for cable.
No one wants subscription based software either.
Well, this sounds extremely interesting!
However, on second glimpse it seems to me that the advantages to autopackage aren’t that large but it also has some disadvantages.
– 0install requires the system to be installed for the application to work, so as a packager, you can’t be sure that everyone can run your app unless 0install would come preinstalled on every distribution. This is not good because you get the chicken and egg problem unlike with autopackage, where you know that every Linux user will be able to run your application by just executing the package file.
– There is no integration with the application menu. The FAQ claims that you don’t need it, but that doesn’t make much sense to me. Even if you don’t need to install those applications, you still want to access them from a common place and that’s the application menu on most distributions.
Maybe it could be modified to install a menu link the first time you run it, or you could run some “mini installer” to put it in there, but the difference to just installing an autopackage becomes really small.
– If I understand it correctly, it will always try to get required libraries from the cache, so if you already have the library installed in /usr/lib, you will have it twice?
– It might be irritating to the user not to know when stuff has to be downloaded. Imagine you want to quickly finish something and suddenly it starts downloading a 20mb package because you didn’t run the same thing before.
Maybe I’m missing the big picture, but to me autopackage still seems like the more promising candidate to get mass adoption and solve this particular problem for Linux, though of course it’s still a very cool concept. I’d be curious to know what Mike Hearn thinks about all this.
Read the damn article. This has nothing to do with running applications over the network.
“Zero Install is a fundamentally different way to access software. Instead of copying software from the Web onto our computers, we cache it. It’s a faster, easier to understand, and safer way to get software, suitable for both broadband and dialup users.”
Caching software from the network is the exact same thing that Thin Clients and other such workstations with minimal disks did.
So yes, you are running the application from the network. You are just locally caching it. This is nothing new. It is typical open source “Let’s copy someone elses idea”.
By the way, when I said “let’s copy someone elses idea”, what I meant is that this is virtually a clone of Java Web Start.
I don’t care the slightest whether this is something new or not (please just get over it once and for all), I was just refering to your complaint about it beeing “slow, unreliable, and unsafe. And it doesn’t do you a lot of good when you are 40,000 feet over the middle of the Atlantic Ocean on a business trip“. If you’d read the article you’d know that the application is not run from the network at all, it’s run from the cache and only downloaded from the network if it’s missing. Thus, it could probably be better described as “installing on the fly”.
Sorry for my initial harsh words, but it really bugs me when people take the time to write complaints, before they actually take the time to carefully read what it’s about.
This kind of system works really well in a manged corporate environment. We use Java Web Start on a number of corporate client projects as updated software has to be installed in only one place rather than upgraded on every machine which uses it. The administration time is far less than with an installed app but it does require more conservative development. You can’t do a massive UI change between versions or break compatability with the last file format unless you are really careful as it confuses your users.
As with many easy/managed install systems, this type has its uses but it isn’t the answer to everything; or for everyone!
“Sorry for my initial harsh words, but it really bugs me when people take the time to write complaints, before they actually take the time to carefully read what it’s about.
”
It’s ok. I admitidly didn’t read the article careful enough, and the OS News headline is a bit misleaing by stating “eliminates the need to install software by running all programs from the network filesystem”. (Just as a note, I am not the one that submitted your comment for review.)
You can remove my “unreliable and slow” gripes. But not my “unsafe” gripe. The article didn’t mention anything about the ability to digitally sign downloaded content. And that is critical to security with a system like this, especially if you can have automatic upgrades done in the manner suggested by the article. Basically, the system and the user need some way to verify that the upgrade they are downloading really is coming from http://www.mycoolapp.org web site, and not some cracker’s computer between the two points that is impersonating http://www.mycoolapp.org so that he can upgrade everyone’s software with a trojan horse.
(It’s relatively simple to impersonate a Web site domain, especially if you have access to a DNS server).
Looks like a neat way of handling software.
As already mentioned in a prior post, I worry about the “control” issue. What if Zero install decides to start charging for this download “service”?
Is there a GPL’d “server” version that can be run to host apps on a local network or setup your own Zero Install mirror?
Note: I only skimmed through the website & the FAQ so this could already be explained somewhere.
What a great Idea! I go to the web, update the kernel and any other
program I’m using and go on about my business with no interruptions
only seeing the changes after I reboot.. This time has come for linux…
As already mentioned in a prior post, I worry about the “control” issue. What if Zero install decides to start charging for this download “service”?
It’s decentralised, so there’s no place to insert charges. The protocol uses HTTP, so any web server will do. It would be like the w3c deciding to charge for accesses to web sites…
Regarding security and GPG signatures (which someone else mentioned): read this http://zero-install.sourceforge.net/security.html (especially the bullet points at the top)
A lot of these posts make it obvious that the people who posted them didn’t read much of the article…
‘As already mentioned in a prior post, I worry about the “control” issue. What if Zero install decides to start charging for this download “service”?’
ZeroInstall isn’t a centralized download service like Windows Update. In fact, it’s completely decentralized, because it explicitly specifies for applications to be downloaded from machines on the Internet, not from some monolithic ZeroInstall archive.
‘You can remove my “unreliable and slow” gripes. But not my “unsafe” gripe. The article didn’t mention anything about the ability to digitally sign downloaded content.’
You missed the part about signing updates with GPG keys. It’s not like the apps run as root anyway during any part of the process, though, so risk is minimized.
‘So yes, you are running the application from the network. You are just locally caching it. This is nothing new. It is typical open source “Let’s copy someone elses idea”.’
It doesn’t make it a particularly bad idea. Java WebStart is a useless pain in the ass because no one seems to ever distribute applications that way.
Java WebStart is a useless pain in the ass because no one seems to ever distribute applications that way.
Ehh?
You mean Java app distributers are a pain in the arse cos they don’t use it, or its a crappy implementation??
Yeah, Java app distributers are a pain in the arse for not using it, but the tech is fantastic (I use it a lot).
This looks more like the CODA filesystem (http://www.coda.cs.cmu.edu) than WebStart. In spite of the name, zero-install seems to be more about application deployment than software installation.
“You missed the part about signing updates with GPG keys. It’s not like the apps run as root anyway during any part of the process, though, so risk is minimized.”
True, but users generally don’t want trojans reeking havoc with their personal files either.
And if it can’t run with root privilages, it seems to me that it probably has very limited usefulness. After all, that means it can’t update out of date system libraries and such. And it also seems to suggest that you would end up with a lot of duplicate shared libaries installed.
So each app developer would provide a cached version of their software themselves? I DID mistakenly think it was a monolithic server setup. My “bad”…
On a side note I do think a little paranoia is a good thing. It helps identify misunderstandings (as in this case) and brings potential pitfalls to fore.
Thanks for the clarification!
E.
“True, but users generally don’t want trojans reeking havoc with their personal files either.”
Or mail bombing their boss… Or sending obscene pictures to their pastorto their pastor from the user’s email account… All of which a trojan running as a nomral user without user privilages could potentially do.
Trojans running as normal users can do a hell of a lot of damage without root access.
It really WILL NOT work for dialup users. The main reason is because dialup is prone to disconnects.
Im halfway through “loading” a program, and my net connection goes. I now have to reconnect before I can run the damn program! And you better hope what was already downloaded cached properly, otherwise I have to start the whole download over!
Here’s the big thing, what if I want to run some new text editor while Im surfing the net? On dialup, my bandwidth is already really small. I cant use the text editor because downloading the app would slow my surfing to a crawl.
On dialup, this system isn’t “seamless”, and therefore, it loses most of it’s advantages.
Believe me, if I see a whole “start menu” full of programs, I better be able to use them, because downloading is not something dialup people like to do.
I already liked the ROX filer and its application directories. Zeroinstall is equally cool and a perfect (and necessary, maybe) complement to it.
However, these ideas need a distribution to have a chance. I remember reading the discussion about ROX in the DEBIAN mailing lists, for example. And I dare to say from using ROX under DEBIAN that it’s not as usable as it could be in its own ‘enviroment’.
Thus one point seems true: such a system has no chance without being able to read a package list and prefer packages from it, sort of: “Insert CD1 of <Whatever> to install <Whatyou wanted>!” This holds for modem users and for users of a zeroinstall-based distribution.
‘And if it can’t run with root privilages, it seems to me that it probably has very limited usefulness. After all, that means it can’t update out of date system libraries and such. And it also seems to suggest that you would end up with a lot of duplicate shared libaries installed.’
The whole point is to be able to have multiple copies of system libraries coexisting on the system, and to have programs that use different versions of them coexisting without conflicts! The article talked about automatic dependency resolution by transparent downloading of required components; how would updating glibc in this way be different from updating kdebase or gnome-core?
‘Believe me, if I see a whole “start menu” full of programs, I better be able to use them, because downloading is not something dialup people like to do.’
Debian uses a cache of packages on installation CDs during its install to install applications on the system. RedHat does the same thing with archives of RPM files. Why couldn’t a 0install-enabled distribution not ship with a preconfigured cache of packages to install?
This also easily solves the problem of “What programs should be made default on <insert favorite distro here>?” Right now, you have it one of two ways: install one app of each type and fight dependency hell when you try to install your favorite application, or install everything and get the kitchen sink. With 0install, a distro could precache a preferred set of tools, and then offer pointers to the installation packages of other applications that are preconfigured to work on that distro. Best of both worlds?
‘True, but users generally don’t want trojans reeking havoc with their personal files either. ‘
This is clearly the case. But every time you install a RPM file, you run basically the same risks, except that you run the same risks with a process running as root. How is that much better??
Hmm… it’d be fesible to roll an entire Linux distro out of this tech if they would add the hooks to do postinstall configuration of a package…
The only problem I see is that you’d have to have some minimal base system that you’d have to bootstrap with. 0install isn’t something you could install the kernel with, in other words.
The idea to “cache” the apps and libraries instead of “copying” them is really cool and way revolutionary. I declared my /usr filesystem to be just a cache years ago, and especially after putting $HOME/bin in my PATH so I can use stuff without having to be root, everything has gotten so much easier!!1
Honestly, is there any real advantage except some newspeak and coupling the concepts of using and installing software more tightly (whyever someone would want that)? Can’t these people just write PHP webmail systems or Linux filesystems or something like anybody else instead of posting stupid ads disguised as “editorials” on public websites where people might waste time reading them?
I really don’t know why I bother reading the OSNews comments section anymore. It is so weighed down with moronic trolls spouting rubbish without reading the damn article. And even when they do read the article, they don’t understand it and write even stupider questions.
This is a *good* idea. Even if it’s not used by home users, it would be good in a corporate environment as they could deploy applications on the server, and the workstations Rsync the updates when the application is run. From what a friend was telling me, Windows has been able to do something similar to this for a while. I think Novell used to have a similar setup for applications, but I’m not sure, I’ve never worked with Novell systems.
It would be cool to have zeroinstall apps in the K/Foot menu, but have ones that aren’t cached greyed out so a user knows it will require installation (perhaps by writing GNOME and KDE VFS plugins). Also, it should have a graphical progress meter for the download (and perhaps ask for confirmation, dialup users want to know how much is going to be downloaded beforehand). This would mean going through all the dependencies and calculating the download size before commencing the download. Also, I hope that all the files are compressed.
The objection to automatic updates is that new versions of programs are often buggy. It is wise to wait until some other users have reported on a new version before installing it. With this system you would not have that option. A fatal bug in an upgrade of Quark XPress would bring the whole publishing industry to a halt.
If you had read the article carefully, you would have seen this part:
“Zero Install uses a very aggressive caching scheme. If it has already fetched something, it won’t try to fetch it again. This is because software is typically used in a different way than Web pages (which are also often cached). When I open a Web page in my browser, I don’t want to see yesterday’s version. When I run the
Gimp, I’d probably rather use a month-old version than wait for the new version to be fetched. However, we can force an upgrade very easily. Click on the Refresh button in the filer’s toolbar, and the cache (for the whole rox.sourceforge.net site) is
updated.”
So your objection has been addressed.
It really WILL NOT work for dialup users. The main reason is because dialup is prone to disconnects.
Every one of your complaints is equally valid for the current “manual download and install” method of installing software. All 0install would change is that it would make it easier to install the software… instead of having to manually go through an arcane and error-prone download-and-install process, you would just run the program and it would automagically do the install for you (the first time only — after that it would be cached locally and work like any other installed program). So what’s the problem?
Seems to work pretty well. Installed (ran) ROX-Filer like on the introduction page, worked a treat.
It would be nice if the progress meter would sit in the system tray rather than popping up all the time. Also, it would be cool if it could provide an estimate to the total amount that needs to be downloaded and the time it will take.
If distros had zero-install already configured with a big cache of libraries most things depend on, then most application downloads would be very small. Also, the admin should be able to force zero-install to use system libraries rather than downloading its own (I believe 0divert could be used for this?).
This sounds so sweet. However how does it handle configurations? Where does it put them?
And more importantly, is there any way to do post install tasks? Lots of programs need to do things like modifying config files, adding users, etc.
It seems that this method is only useful for desktop apps that don’t really interact with other programs that much. Not for something like servers that need to start on system boot, and create users and stuff. Or am I missing something?
“I really don’t know why I bother reading the OSNews comments section anymore. It is so weighed down with moronic trolls spouting rubbish without reading the damn article.”
Yes… Throw your temper-tantrum now by calling people morons and trolls. After all, how dare they disagree with you? How dare they critisize an open source product?
So throw your temper-tantrum. It’s the way your species (Linuxius zealotious) knows how to respond.
“The whole point is to be able to have multiple copies of system libraries coexisting on the system, and to have programs that use different versions of them coexisting without conflicts!”
The problem with systems like this is that they often install unnecessary dependancies.
Example: The program will install wizBangOMatic lib 4.2, even though the system already has wizBangOMatic lib 4.21 installed.
I’ve seen this happen with many dependancy checking systems. It’s a serious problem that needs to be fixed.
‘The problem with systems like this is that they often install unnecessary dependancies.
Example: The program will install wizBangOMatic lib 4.2, even though the system already has wizBangOMatic lib 4.21 installed.
I’ve seen this happen with many dependancy checking systems. It’s a serious problem that needs to be fixed.’
I’d personally take MacOSX’s bundling paradigm over Linux’s current adhockery any day.
“I’d personally take MacOSX’s bundling paradigm over Linux’s current adhockery any day.”
What Linux really needs, is simply to have a standard set of GUI programming libraries that come standard with Linux distros. That would eliminate 99% of the dependancy headaches that exist with Linux.
Example, with Windows most of the functionality I need to program a GUI app is found in one of three libraries. kernel32.dll, user32.dll, or gdi32.dll.
With Linux there is no standard. And so you often end up writing programs that require tons of third party libraries such as GTK or QT, lib-jpeg, lib-png, lib-glade, and 20 or 30 other dependancies. And almost all of this could be avoided if Linux had standard graphics programming libraries like Windows does.
> >If distros had zero-install already configured
… there would be no market for distros. If every distro was easy to use and were 100% compatible with others, who would use a commercial distribution? With a common base, there would be no problems getting support (even paid support), so the last argument for choosing a commercial distro would dissapear.
A distro is just a kernel, with a packaging system and technical support.