[tor-dev] Why not use The Update Framework? (TUF)
adrelanos at riseup.net
Thu Aug 8 09:07:44 UTC 2013
> TUF was a successor/fork of Thandy, not the predecessor:
Sure. (Thats what I meant to write. :)
>> TUF is written in python, and after all those years, TUF developers are
>> still maintaining it and actively developing it. I think in future TUF
>> will become a mature and widespread solution. Also work is being done to
>> let pip (the python library installer) internally use TUF. So it can't
>> be so bad after all?
>> If you have discussed this and reasons for rejecting, fine. Just wanted
>> to throw it in, because I think basing this feature on another active
>> project (TUF) works better than reinventing the wheel.
> Well, it's not like the Firefox updater isn't an active project
> The advantage of using the FF updater are:
> * Actually proven to update Firefox. (That's a big one; updating a
> running application in a cross-platform, user-friendly way is much
> harder than the "replace files with the latest version" problem.)
> * Smaller marginal increase in Windows bundle size, since it
> doesn't require a Python interpreter or py2exe runtime for TBBs that
> don't ship that.
> * Used in production by orders of magnitude more people.
> * Has even more maintainers and developers.
> * Is even more mature and widespread.
> * Likelier to be doable fast by the people working on TBB today, we think.
> In the Munich meeting, we weren't sure what the exact disadvantages
> are yet; perhaps once we've reviewed the state of the art with FF's
> updater, we'll run screaming for the hills. Likely disadvantages
> include the kind of stuff that most non-Thandy, non-TUF systems suffer
> That said, who knows? If the distance from where FF is to where it
> needs to be is too big, we might be wrong. The answer might be to end
> up with porting the important parts of TUF/Thandy (metadata
> especially well (download updates and apply them in a robust and
> user-friendly way) as-is.
> (BTW, a thought I had: one subtle flaw of the meeting summary format
> [and of most of the online stuff I write, I guess] is that it doesn't
> do a good job of distinguishing between "I'm sure about this! It's
> decided forever"; "I'm pretty sure about this, but let's talk more as
> we go forward"; and "I dunno, seems like a good idea, let's try it."
> So when you write stuff like that, there's always a risk that you'll
> sound like you're dropping ukazes when you're really just trying to
> make the best decision you can today, subject to revision tomorrow. So
> thanks for asking!)
Sounds very reasonable. Thank you, Nick for explaining that to me.
More information about the tor-dev