Donnerstag, 17. Dezember 2009

openSUSE BuildService Integration, Security and 150000 registered contributors

openSUSE BuildService Integration

As you know and are repositories for KDE application. At the moment over 3600 KDE applications are listed on
You can search applications and rate them, add comments, become a fan of an applications subscribe to an application to get notifications about updates or use the integrated knowledge base system for the apps.

The problem starts if you want to download an app. Most apps are only available as source file or binaries for one or two distributions. It is a lot of work for the developers of the applications to compile and package the apps for every distribution.
So an end users can´t download an interesting KDE application from most of the time and has to use the distribution package manager. But not all distributions provide all the available apps and not always in the most current version.

As you know the openSUSE build service is a great service for developers to automatically build and package software for most Linux distributions and even for Mac and Windows in the future.

Since over a year I talk with our friends from Novell about a possible integration of the Buildservice with and
Today I can announce that the first step is finally done.
You can add your buildservice project and package id to your application on and all the available packages for the different distributions automatically show up on the application page. I think this a good first step to help our users to get our great software and also make the life of the developers easier.

This is not the end of the road of course. Soon you will be able to upload you application directly from Qt-Create or KDevelop to and the openSUSE Buildservice. The application will be build for all supported platforms and our users can download the apps via the website or GHNS.

I´m really exited about this improvement.
What do you think?

In the last few days an old discussion about the security of third party packages for Linux heated up again. The problem is that we don´t have a good signing, sandboxing oder other security system for binary packages in Linux. Solutions as AppAmor or SELinux are not used at the important places. So it is a risk for the user to install packages from third party webites. You never know what you get and if the package is safe.
This is not a specific problem of the sites. It is the same situation for packages from the openSUSE Buildservice, from Sourceforge, Freshmeat, Ubuntu PPAs or any other place.
So the question is what can we do to improve the situation. Markey already blogged about a suggestion for Amarok plugins. Having everything in a central repository is a good idea for Amarok but I´m not sure if this works for all kind of packages.
I will organize a BOF session at Camp KDE in January to discuss this problems with everybody who is interested. I´m sure we can come up with good solutions to fix this security problems.
Everybody is invited to join the discussion.

User registrations:
A few days ago we reached a new record of registered contributors. At the moment over 150,000 users are registered on the site. This are all people who are contributors. User who are only interested in reading and downloading stuff don´t have to register. This is really impressive, expecially because we have 100 to 150 new registration every days.


Fri13 hat gesagt…

I like a lot about the idea. But how we could actually make sure that the "Black Ninja" and "Waterwall screensaver" thing does not happend again?

The download should be signed and be visible only then when it is from upstream. Every other binary what gets uploaded by someone else would got a marking about being untrusted.

Bille hat gesagt…

I've added a link to the openSUSE Build Service for my app KNetworkManager (content=116884), but the download links don't show yet, is there a delay between these being added to the app and the links appearing? If so could you add a note?

seli hat gesagt…

Something seems to be broken with it. I added the buildservice information to (project home:llunak:kde, package wmiface, which clearly exists), yet the page shows only my manual links.

Frank Karlitschek hat gesagt…

The Buildservice Packages are updated every 30min. @Bille, @seli : The Downloadlinks are now visible. :-)

Bille hat gesagt…

It's showing the links for KNM now, but the openSUSE links to one-click install files (*.ymp) were broken due to a bug on the build service api server, that Adrian just fixed - so if these links on are generated once then cached until the content changes, you should poke the script to rebuild them now.

Pedro Lopez-Cabanillas hat gesagt…

I've also added my build service project and ID for vmpk (content=88233). It was not clear if only the project name or the full URL is required. Looks like the full URL. The results are a bit confusing, with all the debuginfo and debugsource downloads interleaved and not clearly labeled. Nice feature, though.

Frank Karlitschek hat gesagt…

@bille It updates automatically every 30min. So the new links should be visible now. Is there a way to get more information about the packages like a description text for example? At the moment we show a lot of download buttons and it is not clear which on is the lang, debug, lib or other rpm.

seli hat gesagt…

Ok, now it shows, but there is room for improvement, both when entering the data (WMIface also builds for xUbuntu, but it doesn't show in the list, so what is wrong there?) and when downloading the packages (right now it's a "random" list of packages for different distros, maybe it should be grouped somehow).

As for finding out more information from the build service, I suggest asking in a more suitable place than a blog :), like the opensuse-buildservice mailing list.

faye hunter hat gesagt…
Der Kommentar wurde von einem Blog-Administrator entfernt.
robermann hat gesagt…

Why xUbuntu and Debian packages are not shown in the download section?

Frank Karlitschek hat gesagt…

Are you sure that the Ubuntu packages are available at the buildservice? Can you give me the link to the page so that I can debug it?

Thank you.

Pedro Lopez-Cabanillas hat gesagt…

I am not Bille, but anyway KMid2 suffers the same problem. I've cooked a crude workaround, though.

robermann hat gesagt…

This is mine project:

Here you can see all DEB based projects:

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.