14 DAY TRIAL // ROX Desktop is one of the many graphic Desktop environments available for Linux which recently started to use its application directories in combination with Zero Install, a caching network filesystem, to make software installation completely automatic. Zero Install is a promising alternative to the currently used Linux package systems, such as RPM or dpkg but unfortunately, just like other alternative package systems, it faces problems of winning acceptance from the major distributions so currently, this alternative package system can only be used as a supplement to native package systems, not as a complete replacement. And it's all good, Zero Install doesn't even try to be that.
So what's different about this package system? Native package systems have a few issues which Zero Install overcomes thanks to its design. On one hand, it's the security issue. Every time you update your computer (a regular Linux installation has about 1000 packages), the authors of those packages are allowed to run a custom shell script as root on your machine. Even if you trust each and every one of those authors, there's always the risk that one of them has their machine compromised. On the other hand, there's the lack of flexibility, which forces you to have only one version of a program at any time. You can't compile a program against two different versions of GTK and have both executables available and usable. And you won't either be able to run a very old program because the libraries it needs have changed their versions and you will only get a libXX.so not found error.
Rather than replying on a list of repositories, Zero Install is developed to allow programs in a number of formats (from .deb to .rpm and .tar.gz) to be entered on-the-fly from various websites, as long as those packages are digitally signed. Unlike native package systems, Zero Install only installs and updates programs as normal users. This feature prevents users from damaging their systems, but it also allows software to be easily sandboxed by maintaining several user accounts only for the purposes of experimenting with different versions of a package. Unfortunately, the main drawback to this system is that software must be installed separately for each user.
The Zero Install system has been replaced with a set of user-level tools written in Python, called the Injector. To install the Injector on your system, you will need a few programs installed: Python version 2.3 or later, including any -dev package, GnuPG for checking digital signatures, PyGTK 2.0 or later needed for running the GUI and the author's GPG key. Packages for several distributions have been made available to make installation a bit easier. The program's homepage provides installation packages links for Fedora, Mandriva, SuSE, Debian, Ubuntu (all versions), Knoppix, Slackware and others, by installing the software manually from sources. Once installed, you will have three new commands: 0launch, which downloads and runs programs by URL. If the program is not already installed on your computer, 0launch downloads information about which versions are available and lets you choose one to download. It will also automatically do the same for the required libraries. 0launch will also check for updates if it has been a long time since the last check, thus allowing users to download and upgrade software without requiring root access. The second command is 0alias, which creates quick scripts to run 0launch programs, removing the need to keep typing the full URI each time you want to run a program with 0lanch. 0alias will create a new little script in your PATH to do it for you. The third is 0store, which manages the implementation cache. Normally, the cache is updated automatically using 0launch.
How to use the injector. First, you'll have to run 0launch as a normal user, giving it the URL for the program you want to use. Currently, only a few programs are compatible with Zero Install, the full list can be found HERE. The injector will switch to graphical mode (use -console to disable) and will check for updates to the GUI itself. If any is available, you will be prompted to confirm if you accept software signed with the author's key. Next, if any library is required by the program, it will be fetched as well and you will be prompted again to accept if the key matches. The main part of the window contains a list of all the components needed to run the selected program and when you're happy with it, you can click the Run button to start the program. The injector will next download and uncompress the packages into a temporary directory and their contents will be checked against the digests in the interface files. If correct, the packages will be placed in a cache to remove the need of having to download them again next time you run that program. When the download is complete, the program will run. To create a new alias which removes the need of typing the full URL every time you need to run that program, use the 0alias command: 0alias program-alias program-URL. To uninstall programs, run 0launch -gui, click on Show Cache, select the versions you don't need any more from inside the URL and press delete.
Moreover, anyone can make software available through Zero Install. You will first need to create an alias to 0publish-gui and run it. You will get a new window prompting to enter some details about the program, such as name of the program, its description, its feed URL, the programs' homepage URL and an icon. You will then need to add one or more versions of the program in the feed, which can be done from the Versions tab, using the Add Archive button. Also from the Version tab, you can select any required files. Finally, you need to sign the feed so people can check that it's really from you. Go back to the previous tab and choose your GPG key from the menu. If you don't already have one, click on the add button. In the end, you will have three files: the signed XML feed listing the version, the GPG public key which lets people check the signature and an XSLT stylesheet, in case anyone wants to feed in their browser. The files will need to be uploaded on a web-server in order for anyone to run your program through the injector.
The Good
Zero Install project is a supplement to the current package managers. However, unlike them, the Zero Install's injector provides more security and control over the programs you need to run. Moreover, the programs are fetched and run from the web but none is actually installed. The program only keeps a cache to prevent re-downloading the program's files each time you want to run it. Moreover, programs run by Zero Install don't require root access. You can also create new Zero Install packages.
The Bad
Zero Install doesn't support installing an application for multiple users only to increase the security level. However, this is a bad thing only if you're trying to install it on a multi-user machine with several users registered on it.
The Truth
Zero Install is a very promising application that will become an asset when it gets integrated into distributions. You will be amazed of how quickly it runs a program from a source package, even if the program isn't even installed.
Check out some screenshots below:
