Originally Published: Sunday, 6 February 2000 Author: Rob Bos
Published to: featured_articles/Featured Articles Page: 1/1 - [Printable]

The Ramifications of Binary Distribution

In recent months, a fast transition has been made, away from the traditional source distribution of software using tarballs towards a more "user-friendly" approach -- that of binary packages destined for use on a specific platform. Debian, Red Hat, SuSE, and Slackware all have their means of packaging software; thousands of discrete packages that make up a typical Linux distribution are compiled beforehand for a certain platform, put into a package, and set up to fit within the framework of a particular distribution of Linux (with its program dependencies, software and device requirements, and so on)....

   Page 1 of 1  

In recent months, a fast transition has been made, away from the traditional source distribution of software using tarballs towards a more "user-friendly" approach -- that of binary packages destined for use on a specific platform. Debian, Red Hat, SuSE, and Slackware all have their means of packaging software; thousands of discrete packages that make up a typical Linux distribution are compiled beforehand for a certain platform, put into a package, and set up to fit within the framework of a particular distribution of Linux (with its program dependencies, software and device requirements, and so on).

Binary packages are convenient, and relatively trivial to set up properly. They are the preferred format in most arenas due to their relatively small size, and their ease of installation and administration, especially when dependencies are set up properly and easily accessible. Binary package software is quite nice when properly set up. Still, there are several problems with it. First, when software is primarily distributed in non-source format, there is an increased chance of catching and spreading virii from system to system. While there are, at this time, all of three or four documented Linux viruses, none of which have been found "in the wild," the possibility that the number of careless people reaches the critical mass needed to support the spread and continuation of a virus in the wild increases correspondingly with the number of Linux users.

More immediate, however, is the possibility of trojans. In the worst case scenario, the possibility of malicious code infecting one of the primary Debian mirror sites, and then being distributed quickly and efficiently to any of thousands or hundreds of thousands of machines is a scary thing to consider, especially with the existing web of trust in place. This isn't paranoid fear-mongering. It's the simple recognition of something that could very well happen at some point as distributions become more and more diverse and automatic updating systems become more common. Central software distribution sites are going to be more of a tempting target than ever, due to this habit of binary distribution of software. It is not hard to imagine the possibility of one of the many thousands of pieces of software at rpmfind.net, for instance, being quietly loaded up with a bad login program, or the possibility of an intentional modification to any software that needs to be run as root.

The Unix security architecture takes care of the majority of these problems. As the proportion of Linux users who don't care about security and safe computing increase, the possibility that this could become a fairly serious problem (though infinitely less serious than it has been in the past in other computing sects) increases correspondingly as the probability of simple ignorance or carelessness increases.

My second problem with the increasing proliferation of binary-only packages is on a less practical level. What happens to the ideals of free software, when it becomes more and more difficult to get access to the source code? Debian does a good job of this, providing mirrors for source code to all its packages, and it is relatively trivial for anyone "in the know" to find a given package's source. But in a few years, when it will be socially acceptable (even, perhaps, practical) to distribute software without any access to source, what happens to free software? There will, of course, always be a core group of free software adherents, and the software that we have today will always be free. But it will be correspondingly harder to educate new Linux users into the culture. Again, this might not necessarily be bad, but it will be a sad thing to many people who have been around for a while. Some might see this process as good -- the more Linux appeals to people who don't care about it, the better -- but it could end up encouraging proprietary software makers to have more economic clout than some people would be comfortable with.

In the long term, the seemingly inevitable (and extremely fast) shift to binary format in Linux distributions could have extremely serious consequences for the social enforceability of the GNU GPL. If the great majority of users neither know nor care about the availability of source, if any company can easily enter the lucrative Linux market with binary-only packages destined for a single fairly ubiquitous platform, and if it becomes commonplace to accept the possibility that packages can contain trojans or virii in the minds of the everyday consumer, the flexibility and power that has typified the GNU system would disappear in all but a significant minority of systems. The desktop user cares little about free (speech) as it applies to software, and as such, it could be a perhaps irreparable loss to the free software communities.

So what, if anything, can be done about this?

Rob Bos (rbos@linux.com) is a university student and lab technician at Simon Fraser University in Vancouver, British Columbia. He enjoys free beer, free speech, and cats. Cats are nice. He also has much humility and is most definitely an accurate source of information about himself.





   Page 1 of 1