[OpenIndiana-discuss] from the lost to the river

David Halko davidhalko at gmail.com
Wed Oct 3 09:25:29 UTC 2012


> > > I still don't know what IPS really is....
> >
> > "Image Packaging System"
> >
> > It's a software packaging scheme that was designed during the
> > OpenSolaris days as a replacement for the old SysV packaging system.
> > The big change is that it's based on a client/server model, where (at
> > least in the first implementation) the server was a required part of the
> > software upgrade mechanism.
> >
> > The old SysV packaging system had a disk format that delivered files,
> > including scripts that ran at installation.

SVR4 had a stream option, to bundle packages. Packages were often delivered
on floppies, tapes, disks, and eventually by HTTP.

>  IPS does not, and instead
> > has a set of pre-determined actions that can be taken during upgrade or
> > install of a file.  The lack of scripting is an important improvement --
> > the old scripting mechanisms allowed software developers to deliver
> > arbitrary horrors inside scripts, but the new system doesn't allow that.
> >
> > OpenSolaris (and OpenIndiana) still supports SysV packaging, but the
> > main software, at least in the main line of code, is delivered via IPS.
> One big difference between IPS and the old SysV system:
> A SysV package is one huge file whereas packages delivered via IPS are
> split into lots of single files; simplified said: one file on your disk
> from a certain package ^= one file in IPS, cryptographically signed in the
> IPS manifest and stored in compressed form on the IPS server.

SVR4 packages could be delivered in streams encapsulating 1 or more
packages or as a bursted filesystem spooled packages. Encryption and
compression was an option in SVR4 using class action scripts by multiple

If you download a newer version of a SysV package, MySQL for example, you
> normally have to suck the whole package, even when only a small part
> inside the package was changed. IPS on the other hand will download only
> the delta, i.e. those files that were changed.

SVR4 packages supports sparse packages so full packages are not required to
be downloaded. The quality of the package provider will determine whether
you get full or sparse packages.

Additionally the IPS server doesn't really care about the architecture of
> your system; it can store files for different CPU architectures and
> operating systems in one single repository. GlassFish for example is using
> this technique (*).
> (*) https://blogs.oracle.com/alexismp/entry/java_ee_6_tutorial_and

I used to build singular SVR4 hybrid packages which supported Solaris SPARC
as well as NCR UNIX MP-RAS under Intel. It was not difficult to build SVR4
packages to work identically under different OS's and CPU architecture - it
just meant more binaries were required in the package.

I think the big difference is pre-requisite bundling. Some SVR4 package
providers offer this capability, as well, as an add-on feature via a
front-end script... but this is strictly not SVR4 packaging today.

SVR4 packages include the ability to perform integrity checks of the
installed package against an accepted manifest. This offers security
checking options to ensure that scripts & binaries have proper permissions
and have not been tampered with (i.e. viruses, worms, malware protection)
while supporting volatile files (so security checks are not tripped up by
config file changes, log file rotations, etc.) I am uncertain whether the
newer IPS offers this level of post-install and lifecycle integrity
checking, since I never needed to audit a Solaris 11 / Illumos production

Hope that helps,
David Halko

Just my 0.02$ ;-)
> Thorsten

More information about the OpenIndiana-discuss mailing list