wiki.webvm.net/ webvm/ Packaging notes

Debian is the most mature package manager and depedency tracker.

I think it’s worth comparing Debian packaging tools with Widget packaging and the old JAVA/JAD ways to do things.

Debian’s dpkg requies a POSIX shell. A POSIX is a high requirement on (low end) mobiles which typically do not support fork or exec.

Consumer

  1. install
  2. Installs deb http://debian.webvm.net/ unstable/i386/ into /etc/sources.list
  3. apt-get update retrieves Release & Signature as well as package listing
  4. Local Debian packaging is kept in /var/cache/apt/
  5. apt-get install resolves dependencies what can be obtained from the multiple repositries
  6. Debian packages are downloaded locally
  7. dpkg does the dependency checks against what exists and installs them
  8. dpkg maintains records of what’s installed, half-installed, removed, purged etc.

Vendor

  1. Build package
  2. Sign .changes file
  3. Upload to repository (mini-dinstall is a good tool for this)
  4. Repository checks the signature and signs it with “archive-keyring”
  5. Repository generates Release & Signature - see a log

Comparison to Java mobile

Comparison to W3C widget specs

Widget updates

TODO check Firefox extension update mechanism

Use case: Peer-to-Peer distribution of a signed package

Nowadays businesses typically make money from a service, not the actual application. So business wants to see their application virally spread.

In the mobile market networks are expensive and many devices have USB or bluetooth connectivity, people will want to exchange “widgets” without a canonical centralised service.

This use case makes signed packages a difficult as the way Debian signs packages is via the repositories package listing. In a Debian world, direct peer-to-peer sharing (no, not bit torrent) of packages could happen with local instances of a repositry manager software running.