[puppetmaster]

The aquilles heel of package managers isn´t consistency, but lack of packages.

I appreciate the benefit of distro-agnostic package management, but unless you rely on a portable toolchain, or distribute statically linked binaries exclusively, we fall short from the panacea of portability (many other options available, yes, but packages are needed!)

I have personally leveraged pkgin[1] for consistency. I can simply drop pkgsrc[2] in my home directory and use the same tools in *bsds, smartos, linux, macos and cheese.

[1]https://pkgin.net/ [2]https://www.pkgsrc.org/

edit: being more specific

[azathothas]

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns: 1. Yes, no portable toolchains or any other kinds of dependencies are required.

2. Each & every single binary is statically compiled. This is the core at philosophy of Hysp. A single binary that runs anywhere.

3. Currently, there's about 200 pkgs for x86_64 & arm64 each. The upstream source (https://github.com/Azathothas/Toolpacks) has over 400 for x86_64 & 300+ for arm64, which will slowly be added to Hysp-Pkgs.

4. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.

[puppetmaster]

Hey, thanks for replying! I had missed the static binary detail, and it is by far the most sensible solution.

Regarding the packages, those are very respectable numbers... But who is maintaining them? It takes a lot of effort to maintain a repo up to date, with patches both functional and security related. This is in most distros a full time job for a group of people. For comparison pkgsrc has 19444 packages, and it takes a substantial effort to keep up to date.

Regarding 4... I am not sure about your angle there... "Running random binaries" is risky. Technically hysp is a random binary itself, from a random source. I don´t know who you are, and even in that case any certification of authority is best efforts. You can´t certify that the code you built has not been compromised... This is a tough problem, good ideas are still needed!

OTOH, maybe you could leverage the work of the pkgsrc team to increase the number of available packages, traceability, and portability! Join forces! Synergy!!!!

[azathothas]

Regarding pkgsrc, we came across that and the reason we eventually ended up creating hysp was that we didn't want to use any dependencies what's so ever.

So if you wanted to, you could use pure bash and nothing else to parse the TOML files that hysp uses and do everything that it does. Hysp is simply an abstraction over that philosophy.

As to the question of maintaining them, currently only I am. Hysp is a small project for now, and we have no plans to add anything that's dynamic. This will ensure low numbers of packages, but guarantee that those packages will work anywhere. So maintaining the PKGs is quite simple, I write custom build script for each of them and then GitHub Actions automates the rest. This currently requires very little manual maintenance. The following repos are where the current packages are sourced from:

https://github.com/Azathothas/Toolpacks https://github.com/Azathothas/Static-Binaries https://github.com/Azathothas/static-toolbox

I had to mention 4, because people kept asking us about security concerns. Self-Hosting everything on your own server and using hysp just as the frontend, is an option for those people.

[NewJazz]

I wouldn't balk at a pure static binary distro. It could have its niche.

[puppetmaster]

Some people would argue that there are few differences between a container and a static binary...

And of course, there is also https://sta.li/