Microsoft's CoApp To Help OSS Development, Deployment 293
badpazzword writes "Microsoft employee Garrett Serack announces he has received the green light to work full time on CoApp, an .msi-based package management system aiming to bring a wholly native toolchain for OSS development and deployment. This will hopefully bring more open source software on Windows, which will bring OSS to more users, testers and developers. Serack is following the comments at Ars Technica, so he might also follow them here. The launchpad project is already up."
I'll follow them here too. :D (Score:5, Informative)
Ask me about CoApp, I'll tell ya everything ya wanna know.
Garrett Serack
CoApp Project Owner
Re:I'll follow them here too. :D (Score:2, Informative)
When will MS be pulling the rug out from under the community?
How much of a fight will we seen when someone tries to packup an app that competes with an MS product?
Re:I'll follow them here too. :D (Score:5, Informative)
Well, considering that I spent several months hacking thru red tape to get VP approval, and the enthusiasm that I've been getting, I'm pretty damn confident that we're clear sailing.
And given the first three targets that on my radar are PHP, Apache and Python (and the 40 or so shared library dependencies), and that's what I took to the VP, I'm fairly confident that's not going to be an issue.
And, on top of that, MS doesn't own the project, I do. "Shutting it down" is not an option for them.
Re:I'll follow them here too. :D (Score:3, Informative)
At least you can diff a config file. Try that with a gui.
Text based config, with an option gui/wizard really should be the only way this sort of thing gets done.
Re:I'll follow them here too. :D (Score:5, Informative)
That is precisely the red tape that I had cut.
Microsoft has given me a signed contract that says that whatever I produce for the CoApp project isn't owned by them. They do get a license to everything I make (fair deal), but they don't own it in the end.
That, and I've also chosen the BSD license for it's do-what-the-f*-you-want spirit.
Re:I'll follow them here too. :D (Score:5, Informative)
No.
My intent is to completely do away with the practice of everybody shipping every damn shared library. It's one of the things that piss me off the most. I've got a very workable solution that uses WinSxS to cleanly handle this.
It is extremely important that there is a unified method for sharing libraries between apps.
Re:I'll follow them here too. :D (Score:5, Informative)
Is this some kind of back-handed comment based on the general view at Microsoft about Open-source software, or the general view that MS would like to push out to userland? That people should use MS OSS because you need to be a developer to use it on other platforms?
No-no.. exactly the opposite
Have you tried to roll out some OSS apps on Windows?
On Linux it's two clicks, and BAM! Done.
On Windows, it's almost never that easy to setup OSS apps.
The problem I see is that it doesn't take a Developer on Linux to get Apache installed and configured. Why should it on Windows?
Re:Why only open source? (Score:5, Informative)
Why limit this to open source? It would be great if the users could update every program easily and painlessly, at least the ones that use this new system.
I'm Busted. It isn't really restricted to Open Source... but that's my mission. Commercial apps will be able to play just fine in this ecosystem.
I am assuming that this system will allow easy and painless upgrading like on most Linux systems. Is that true? Will it have automatic dependency handling and command line installation?
Yes. Painless and automatic dependency handling, and yes command line tools. You are singing the chorus to my theme song!
Re:Why only open source? (Score:5, Informative)
I second the question about limiting to open source. A good package management system that can could make using SxS painless would be awesome in an enterprise environment.
I agree. it ain't really limited to Open Source
Since this is open source and .msi based I assume you will be leveraging WiX somehow?
Yes indeed. The author of WiX is on the mailing list, and a personal friend. He's very excited about all this too.
I hope this isn't going to be a big collection merge modules with duplicated component guids..
Nope. I don't believe in merge modules. I believe in a system that works.
Re:I'll follow them here too. :D (Score:4, Informative)
Assuming that you've looked at APT and similar packaging tools, and given that you're still convinced that there's a 'Windows Way' (your term) to handle deployment that differs from Linux best practices, how do you plan to address:
Yes, I've worked with APT and RPM for a very very long time now. The reason I'm convinced there is a 'Windows way' is because it's a different system that Linux; yes, I've learned a lot about PMS from Linux, and I know how to apply that knowledge to Windows.
Package Repositories - This is one of the main strengths of Debian and related distros. Do you think it's even possible to replicate this level of community control in Windows? I know you've mentioned decentralisation, but have you considered the implications of such an approach? What is the cost of failure to affect consistent, formalised management of package builds?
I have a plan for allowing any publisher to publish packages in the CoApp ecosystem, provided they meet two qualifications:
- They must be able to host their repository meta-data on an SSL protected connection.
- All packages must be digitally signed with a certificate that chains back to to a commonly-accepted CA.
Dependancy Management - This issue is largely done and dusted on Linux, but remains a dog's breakfast on Windows (albeit not as frustrating today as it was in the mid-90s). In the absence of centralised repositories and the Unix toolchain philosophy, how do you propose to cope better with dependancies?
I'm working with the developer of WiX to ensure that we can trivially build chained MSI packages that have the necessary smarts to properly manage this. Kind-of mixing in something like ldconfig with the Windows SxS library management.
File locations - How do you propose to manage the proper placement of libraries etc. when the conventions concerning where to put such files are not nearly as well defined on Windows? I'm suggesting here that you need cultural leverage rather than technical answers. You need to change perceptions, not toolkits.
Yes. The change starts with PHP, Apache, and Python, and the 40+ packages needed to build them (community members from each are already on board) Half of the project is setting some intelligent standards, and then bootstrapping the ecosystem with packages to enable other software to follow.
Security - Do you think it's even possible to replicate one of the main strengths of Linux package repositories: the ability to curtail security risks such as malware and flawed code?
Yes. By requiring code-signing (and I've got a plan for opening that up without cost for smaller projects) we can replicate the benefits of MD5 and PGP signatures found in the Linux world.
Scripting Interfaces - Say what you like about make and other command-line utilities, but as a busy sysadmin, I consider GUI package management a waste of my valuable time. If I'm going to deploy regular security updates, for example, I want to know that I can script every aspect of the operation. Even the tab-completion features in aptitude make it many times more efficient than a point-and-click interface. What is the potential for scripted deployment/management of packages under your system? Why?
I agree 100%. Scripting interfaces are an absolute requirement, and will likely come well before the GUI.
Think of it as a clean adaptation of the same concepts to the model that will be attractive to Windows developers.
I also think that you're going to need to learn a lot more humility than you've demonstrated so far if you want to achieve something better than a new brand of anarchy in packaging.
I apologize if I'm coming off arrogant. Frankly it's taken an extremely long time to convince the powers-that-be at Microsoft that Linux's package management is stellar compared to Windows. It's also not near as hard or large as it sounds, I'm walking on the shoulders of giants here, both in the Linux and Windows worlds.
Re:Just like the other vendors (Score:3, Informative)
Gee everyone else figured out a long time ago: give away the compiler.
How is this relevant to this discussion? You are (at least) 8 years too late to be pushing this line - Microsoft has been giving away compilers for a while now.
Maybe this will be a boost for gcc when everyone can see first hand how bad the Microsoft C++ compiler is.
And how bad is the Microsoft C++ compiler? Do you have any specific claims?
Re:wholly native toolchain (Score:4, Informative)
All but the last one are fine. I have some windows boxes I have to deal with and I sure as hell do not want to be stuck using some GUI IDE just to build the latest $foobar.
Use of the GUI ain't mandatory... it's just that in order to get Windows devs on board, it'll have to have one.
The core bits will all be able to be command-line driven.
Re:Just like the other vendors (Score:3, Informative)
Gee everyone else figured out a long time ago: give away the compiler.
Microsoft Visual C++ compiler has been free since 2003. It comes as a part of Platform SDK these days.
Of course, this is just a command-line compiler. You can also get Visual C++ Express for free if you want the IDE. This doesn't have MFC & ATL, but you can combine it with PSDK to get a full-featured native development environment; and, of course, you can use it with any third-party framework, such as Qt or wxWidgets.
Maybe this will be a boost for gcc when everyone can see first hand how bad the Microsoft C++ compiler is.
What exactly is bad about VC++ compiler? Can you be more specific? Are you unhappy about it not supporting C++ exception specifications (which no-one uses anyway)? Do you have a problem with optimization quality (in my experience, VC++ inlines things better and deeper than g++)?
Re:Why only open source? (Score:3, Informative)
And you get to have 1000 updaters all running on startup, each dragging along who knows what shared libs that instead of being properly shared are whatever version the app maintainer used.
Some distros do package up the latest and greatest. Normally though they use the latest update to the version of the app they shipped with, which makes sense from a support point of view.
Re:I'll follow them here too. :D (Score:3, Informative)
Um, then what are you doing wasting your time here on /.? Shouldn't you be locked in a caffeine fueled coding frenzy, programming until your fingers are bleeding? Open source software won't write itself, you know ;-)
I know!!!!
"His name cannot be s (16831)"
Is that a hint? Does that mean it could be one of the other 25 letters? Or maybe one of the 20 remaining consonants?
Well, ya see... with a five-digit slashdot-id I originally had "His name cannot be Spoken" as my name... then they did some database truncation about 12 or so years ago, and I lost some letters.
And ya can't change your name on Slashdot, and I didn't wanna give up my 5 digit ID. :D
Re:Why only open source? (Score:2, Informative)
Depends on the distro. Most mainstream distros have horribly out-of-date software (by choice). There are distros that do keep near-bleeding edge software in their repos, Arch Linux is one such distro, I've seen packages appear for new releases within a few days, at worst I've seen a package only a few revisions behind.
Re:I'll follow them here too. :D (Score:5, Informative)
As for the first five points, yes I'm aware of all of that, and I'm working to solve all of them. Some of them are not possible (mixing compilers has a lot of bad mojo) and some are solvable with some really good best practices.
1/ Microsoft are stopping using WinSxS assemblies for managing the C/C++ runtimes as it is complex to manage and get right;
Ah, Visual Studio is backing away from WinSxS. I read their justification. I didn't buy into it. I think it's a solvable issue.
2/ With XP, Microsoft were selling WinSxS as being able to deploy different versions of the binaries, but for Vista/Win7 they are now saying that WinSxS is for archival purposes (see the Engineering 7 blog)
Uh, what? I've been talking to the maintainer of the WinSxS system. He's fully supportive of my plans.
3/ It does not really work as intended in practice -- e.g. comctl32 version 6 is different in Vista/Win7 than in XP, yet the applications that reference the XP version use the Vista/7 version
It works just fine, as long as you use it correctly; if they didn't, it's not my fault. Some of the tools I'm building will make it easier not to screw up.
ANother ploy just like .nyet (Score:3, Informative)