To discuss this topic, I have to first talk about the history of package management in the BSDs. In GNU/Linux, people’s lives are made easy with package managers for each distribution (apt-get for Debian, yum for Redhat, slackpkg for Slackware and so on). Package managers install software packages requested by the users by downloading them from a trusted repository then analyze what dependencies are required and then download those dependencies from the same trusted repositories. Once all the downloading was done, the package manager then installs both the dependencies and the requested software package. When a package is requested for removal, the package manager deletes the files installed in the directories when the package was installed and then it deletes the associated dependencies. In some Linux distros like Debian, users are given the choice of which dependencies to remove and to keep.
Package management in the BSDs? Well in short, there’s no such thing as package management in BSD. All the BSD do have a few binary tools called pkg_add, pkg_delete and pkg_info but these are not package management tools. pkg_add doesn’t search for requested packages and downloads them from a remove repository and it also does not resolve dependencies. pkg_delete removes the files associated with the package selected to be removed. pkg_info just lists the packages installed on the machine. Hardly a package management system. Binary packages in all the BSDs are obtained from ftp sites. All binary packages are not update and are never patched for bugs and security vulnerabilities. Often installing software this way to create a barely usable desktop leads to large numbers of being introduced. The other way of obtaining third party applications is to use what is called the ports tree. The ports tree is simply a directory structure with makefiles and patch-files at the end for each third party software. To install a package, a user has to cd to that directory (e.g. cd /usr/ports/www/firefox) and then type make install. BSD’s make then downloads the source code of the package from a third party site not related to the BSD project and applies patches to the source code to make them compilable in BSD. BSD make then checks for the required dependencies and does the same for them. After a long time of compiling package and the dependencies, they are installed onto the system.
Not only is this extremely slow and inefficient but it also means that as maintainers for the third party site modify or update their copy of the source code, ports become broken and uncompilable. Since most third party application had a lot of dependencies, the chances are that there will always be one or two dependencies coming from broken ports which who cause everything to stop compiling. Consider that together with the fact that compiling a particular port can take up to a week plus the fact that upgrades of software usually require the user to recompile nearly every third party application installed. This makes maintenance and fixing of a BSD system impossible of servers and for desktops. It is the main reason many companies including Yahoo switched from FreeBSD to Linux. Another problem with ports is that the sites were BSD make gets the source code from is not scrutinized at all by the BSD projects and can be considered untrusted unlike Linux distro repositories. Third parties can willfully modify code maliciously thus compromising user’s machines. These are a handful of major problems with BSD ports but they are no means the only problems. Unfortunately, some GNU/Linux distributions such as Gentoo have adopted the ports tree as their package “management”.
For nearly 20 years, BSD developers have been in denial of the handicap placed on users by their ports system even as BSD usage share fell below 0.01% however this has appeared to change in 2012. Near the begin of 2012 after be given the green light by Apple Inc (FreeBSD is owned and governed by Apple), FreeBSD developer Baptiste Daroussin created the first ever binary package manager for FreeBSD called pkgng. While this new piece of software at first seem to solve all of FreeBSD’s package management problems, it actually makes package management a lot more difficult and sometimes impossible in certain cases. What’s worst and blatant is that pkgng is not an original piece of work like what it’s creators claim but rather, it is actually a strip down fork of Debian’s popular apt-get package manager. This has legal implications for the FreeBSD project as pkgng appears to violate the GPL.
First of all, installing software with pkgng and the ports together causes clashes, this is in contrast to pkg_add which at least recognizes software installed from ports. Secondly, pkgng’s option to upgrade software (e.g. pkg upgrade) downloads new versions of the packages but instead of simply deleting the old versions and installing the new versions, pkgng will give an error saying that the old version conflicts with the new version and thus it is left to the user to manually remove the old packages and install the new ones. This often results in removal of packages not requiring upgrade. And finally pkgng’s unused dependency removal operation “pkg autoremove” (guess where this functionality came from) actually removes dependencies required by installed (not removed) applications. And finally, the FreeBSD project has stated that it is not going to provide repositories or ftp sites for pkgng.
According to the FreeBSD project, users must now create a jail using an entire ZFS partition. Inside the jail users are expected to compile packages from ports effectively making their own repository form which users are expected to use pkgng to install them on their main system. So as explained, FreeBSD is moving from a source and/or crappy binary package system to an effectively source only system except that you don’t compile and then install directly, you compile to make a package and then install the package. Can someone explain how that is suppose to improve package management? By the way for those who don’t know what a jail is, jails are a feature originally designed by Linux developer Daniel Lezcano (the creator of LXC) which was then stolen by FreeBSD project member Poul Henning-Kamp to implement on FreeBSD. FreeBSD jails functions similarity to Linux chroots but are far more insecure.
Finally by comparing the source code of FreeBSD’s pkgng to Debian’s apt-get, people would find that pkgng is literally pieces of code ripped from apt-get with little to no modification. Indeed discussions on the mailing list in late 2011 show that FreeBSD “developers” including Baptiste Daroussin took apt-get and removed the GPL license together with code they could not understand and renamed the result pkgng. They did this as they were incapable of writing a package manager from scratch. This means pkgng has legal implications for FreeBSD as it is illegal to remove the GPL from a piece of software without the author’s permission. It also shows how blatant the BSD projects can be when fighting against the freedom achieved by Richard Stallman, the FSF, Linus Torvalds and GNU/Linux.
Hopefully, the FSF and Debian soon notice this, rectify the problem and make FreeBSD pay for such a violation.