[GRASS-dev] Re: [GRASS-user] Referencias de GRASS 6.3.0 nativo para MS-Windows

On Feb 8, 2009, at 12:44 AM, <grass-dev-request@lists.osgeo.org> wrote:

Date: Sat, 7 Feb 2009 23:07:35 -0800 (PST)
From: Hamish <hamish_b@yahoo.com>
Subject: [GRASS-dev] Re: [GRASS-user] Referencias de GRASS 6.3.0
  nativo para MS-Windows
To: grass-dev@lists.osgeo.org
Message-ID: <828225.60901.qm@web110010.mail.gq1.yahoo.com>
Content-Type: text/plain; charset=us-ascii

Markus wrote:

Please download the new native winGRASS 6.4.0RC3 in
shipping with the OSGeo4W installer:

OSGeo4W
-> Download the OSGeo4W Installer.

GRASS is (yet) in the "Advanced Install" section.
To see the list of available packages, see at top of
PackageListing – OSGeo4W

Hi,

I (sort of) understand the reasons why it hasn't happened, but we _really_
need to get the stand-alone WinGrass 6.4 installer built. After all, the
(co-)primary goal of 6.4.0 is to finally achieve a native Grass for
MS-windows (along with the new wxGUI), and it seems a bit crazy to be
nearing the final release and still the thing hasn't even been tested.

It is a relief the OSGeo4W installer build is there for users to try,
but it is not the same as double clicking on "install_grass_6.4.0.exe";
and IIUC there are still wxGUI issues with the OSGeo4W package.

slightly frustrated,
Hamish

I'd like to second this. I also want to note that while a multi-package over-the-internet installer is perfectly normal in the Linux world, it is not the norm either for Mac or Windows. In fact, in many settings it can be a problem. For situations in which there is an IT division that maintains multiple computers, this kind of installer can prevent users from getting the software. The often very conservative (for good reason, especially with Windows) IT managers want single packages that they can test extensively and then install across multiple computers. From their perspective, multi-package installers--especially with software installed over the internet rather than out of a box--are potential trouble. This means that end-users (who do not have permissions to install software on their own machines) simply will not get GRASS or other OSGEO packages.

I'm facing this now. A regional museum is looking for good GIS software and is suffering extreme budget cuts. So GRASS seems to be a perfect answer. However, all software at the museum is installed by the city IT department, and ONLY by the city IT department. They are wary of open source software because it doesn't come from a box and hence (in their eyes) could be harboring nasty viruses, trojan horses, or incompatibilities that could cause problems with their other software. Not having single packages that they can test to convince themselves and their bosses that it is safe, makes it almost impossible to get this installed.

Along these lines, it might be worth thinking about a bit of a different model for open source disclaimers. They generally say if prominent type that 'hey, you're on your own with this; we're not responsible for anything'. I wonder if we could have some kind of a 'certified malware free' sticker for things acquired from the official OSGeo site? Also, in my experience, much OSS is less invasive and less apt to cause problems with already installed packages than much commercial software. Some text accompanying OSGeo packages prominently explaining this might also be helpful (with no guarantees, because every system is different).

Michael

Michael Barton wrote:

Along these lines, it might be worth thinking about a bit of a
different model for open source disclaimers. They generally say if
prominent type that 'hey, you're on your own with this; we're not
responsible for anything'. I wonder if we could have some kind of a
'certified malware free' sticker for things acquired from the official
OSGeo site?

Who is going to perform that certification?

GRASS' dependency tree is pretty substantial, particularly when you
look at e.g. GDAL and ffmpeg. Is someone going to analyse all of those
dependencies? What if the OSGeo server subsequently gets compromised?

--
Glynn Clements <glynn@gclements.plus.com>

I agree that this could be difficult for an individual open source dev team to do (Although I bet the GRASS user/developer community would catch, announce, and remove embedded malware very fast). I'm suggesting this as something that the large OSGeo umbrella might look into as a benefit to member projects. At least for malware, could this potentially be done in a semi-automated way for packages on OSGeo servers? Although malware can also get into upgrade sites for commercial packages, it doesn't seem to happen very often and the general perception is that these 'official' sites are clean.

Overall, my experience with major open source packages is that they are at least as safe and unproblematic as commercial packages--and sometimes considerably better. But the wording of our disclaimers, while more realistic perhaps, can put off IT managers. For example, the GRASS 6.3 windows package installer has been working fine for a year, and 6.3 works fine with Windows XP. Yet this is still listed on the GRASS site as the "GRASS Windows-Native Experimental Project". There are always issues to fix, but this is far beyond "experimental".

We don't want to make unreasonable claims, but perhaps should think more about how we word things so as to be less discouraging to potential new users and IT managers.

Michael

On Feb 8, 2009, at 9:52 AM, Glynn Clements wrote:

Michael Barton wrote:

Along these lines, it might be worth thinking about a bit of a
different model for open source disclaimers. They generally say if
prominent type that 'hey, you're on your own with this; we're not
responsible for anything'. I wonder if we could have some kind of a
'certified malware free' sticker for things acquired from the official
OSGeo site?

Who is going to perform that certification?

GRASS' dependency tree is pretty substantial, particularly when you
look at e.g. GDAL and ffmpeg. Is someone going to analyse all of those
dependencies? What if the OSGeo server subsequently gets compromised?

--
Glynn Clements <glynn@gclements.plus.com>

On Sun, Feb 8, 2009 at 6:08 PM, Michael Barton <michael.barton@asu.edu> wrote:

For example, the GRASS 6.3
windows package installer has been working fine for a year, and 6.3 works
fine with Windows XP. Yet this is still listed on the GRASS site as the
"GRASS Windows-Native Experimental Project". There are always issues to fix,
but this is far beyond "experimental".

You have SVN access, just change the Web page

Markus

Michael Barton wrote:

For example, the GRASS 6.3 windows package installer has been working
fine for a year, and 6.3 works fine with Windows XP. Yet this is still
listed on the GRASS site as the "GRASS Windows-Native Experimental
Project". There are always issues to fix, but this is far beyond
"experimental".

2c:
In 6.4 the "experimental" designation has been removed. For 6.3.0, well
experimental gives thoughts of alpha-ware while it is probably more
accurately beta-ware. oh well. The main download page says for 6.3: "This
version is mature enough to be used for day to day work", I don't think
it's bad that the native MS Win versions has another warning..

We know in 6.3.0 there were many problems which have now been fixed: I'd
rather a user expected lots and lots of problems and only found a few,
than to expect none, find a few, and write the whole suite off as a pile
of buggy trash.

Also, I would hope to forget about 6.3.0 things and worry about 6.4rc now.

Hamish

Michael:

I also want to note that while a multi-package over-the-internet
installer is perfectly normal in the Linux world, it is not the
norm either for Mac or Windows.

(point them to background automatic software updates)
I guess Cygwin & Fink examples don't count

In fact, in many settings it can be a problem. For situations in
which there is an IT division that maintains multiple computers,
this kind of installer can prevent users from getting the software.

down here bandwidth is slow and expensive so we prefer to maintain
local software repositories for multiple installs in the computer
labs. also net installs often have problems with password protected
proxy servers (bandwidth is seriously locked down here).

This means that end-users (who do not have permissions to install
software on their own machines) simply will not get GRASS or other
OSGEO packages.

see also the OSGeo live-disc project (live Linux boot from CD),
and Portable GIS project (zero-install GIS on a USB stick on MS Win):
  http://www.archaeogeek.com/blog/portable-gis/

both ways entirely zero-install / footprint.

However, all software at the museum is installed by the city IT
department, and ONLY by the city IT department.

I wish you luck.

They are wary of open source software because

fear of the unknown.

Along these lines, it might be worth thinking about a bit of a
different model for open source disclaimers. They generally say if
prominent type that 'hey, you're on your own with this; we're not
responsible for anything'.

This is for legal & license purposes, not simply misguided marketing.

Term 1 of the GPL reads:
----=----
  1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.

You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
----=----

Overall, my experience with major open source packages is that they
are at least as safe and unproblematic as commercial packages--and
sometimes considerably better.

Indeed, when hunting for MS Windows software I find myself automatically
adding "GPL" to the search engine terms to (hopefully) find some utility
that isn't useless bait&switch-ware. grumble grumble, yay Debian.

But the wording of our disclaimers, while more realistic perhaps, can
put off IT managers.

We don't want to make unreasonable claims, but perhaps should think
more about how we word things so as to be less discouraging to
potential new users and IT managers.

ok, Open Source can use with better advertising. No argument there.
This is Bruce Parens's "sell it on the business case, not the politics"
angle.

some kind of a 'certified malware free' sticker

talk is very, very, cheap. I would hope :-/ that sort of claim would be
completely ignored by any competent reviewer. I've gotten enough "Trust Me!"
spam emails that I generally take those to be an automatic sign that the
thing is a scam. IMO a professional looking product A-Z is more important
than a "Trust Me!" badge.

We can emphasize:

- many big institutions use & have contributed code (the USACE, the NOAAs,
  NASAs, University of abc, def, and ghi, Lockheed Martins, etc..)
  [safety in numbers; in good company]

- that this software is mostly written by professionals & experts (in our
  respective fields) and not by complete randoms;
  [respect of peers, people with real-world reputations to protect;
   more advanced/cutting edge/latest code straight from the authors]

- that our membership in the OSGeo Foundation requires us to have published
  policy in place locking down access to our source code and to have a
  clear and stringent method of granting new committers access;
  [verifiable audit trail]

- that the internals are open to inspection (and this is the kind of
  software which customizers will actually inspect on a regular basis);
  [if you still don't trust us, look around, be our guest...]

- if you don't trust the packagers, everything thing is there to build
  your own binary.
  [probably prudent to do that anyway]

see also paraview.org's website

2c,
Hamish

On 09/02/09 08:32, Hamish wrote:

Michael:

I also want to note that while a multi-package over-the-internet
installer is perfectly normal in the Linux world, it is not the
norm either for Mac or Windows.

Maybe we can go in this direction:

http://blog.qgis.org/node/124

Moritz

Hamish,

I agree with all you've said here. Perhaps a 'certified malware free' notice is ludicrous and your suggestions for positive PR certainly good. I just don't want to see OSS follow the lead of current product labeling (e.g., admonishments not to use an iron while in the bathtub). We want to be honest in both directions. The GPL license that we always distribute (and indeed must distribute) contains a healthy dose of disclaimer and is even quite readable, compared with the legal fine print that accompanies most commercial software.

Michael

On Feb 9, 2009, at 12:32 AM, Hamish wrote:

Michael:

I also want to note that while a multi-package over-the-internet
installer is perfectly normal in the Linux world, it is not the
norm either for Mac or Windows.

(point them to background automatic software updates)
I guess Cygwin & Fink examples don't count

In fact, in many settings it can be a problem. For situations in
which there is an IT division that maintains multiple computers,
this kind of installer can prevent users from getting the software.

down here bandwidth is slow and expensive so we prefer to maintain
local software repositories for multiple installs in the computer
labs. also net installs often have problems with password protected
proxy servers (bandwidth is seriously locked down here).

This means that end-users (who do not have permissions to install
software on their own machines) simply will not get GRASS or other
OSGEO packages.

see also the OSGeo live-disc project (live Linux boot from CD),
and Portable GIS project (zero-install GIS on a USB stick on MS Win):
http://www.archaeogeek.com/blog/portable-gis/

both ways entirely zero-install / footprint.

However, all software at the museum is installed by the city IT
department, and ONLY by the city IT department.

I wish you luck.

They are wary of open source software because

fear of the unknown.

Along these lines, it might be worth thinking about a bit of a
different model for open source disclaimers. They generally say if
prominent type that 'hey, you're on your own with this; we're not
responsible for anything'.

This is for legal & license purposes, not simply misguided marketing.

Term 1 of the GPL reads:
----=----
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.

You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
----=----

Overall, my experience with major open source packages is that they
are at least as safe and unproblematic as commercial packages--and
sometimes considerably better.

Indeed, when hunting for MS Windows software I find myself automatically
adding "GPL" to the search engine terms to (hopefully) find some utility
that isn't useless bait&switch-ware. grumble grumble, yay Debian.

But the wording of our disclaimers, while more realistic perhaps, can
put off IT managers.

We don't want to make unreasonable claims, but perhaps should think
more about how we word things so as to be less discouraging to
potential new users and IT managers.

ok, Open Source can use with better advertising. No argument there.
This is Bruce Parens's "sell it on the business case, not the politics"
angle.

some kind of a 'certified malware free' sticker

talk is very, very, cheap. I would hope :-/ that sort of claim would be
completely ignored by any competent reviewer. I've gotten enough "Trust Me!"
spam emails that I generally take those to be an automatic sign that the
thing is a scam. IMO a professional looking product A-Z is more important
than a "Trust Me!" badge.

We can emphasize:

- many big institutions use & have contributed code (the USACE, the NOAAs,
NASAs, University of abc, def, and ghi, Lockheed Martins, etc..)
[safety in numbers; in good company]

- that this software is mostly written by professionals & experts (in our
respective fields) and not by complete randoms;
[respect of peers, people with real-world reputations to protect;
  more advanced/cutting edge/latest code straight from the authors]

- that our membership in the OSGeo Foundation requires us to have published
policy in place locking down access to our source code and to have a
clear and stringent method of granting new committers access;
[verifiable audit trail]

- that the internals are open to inspection (and this is the kind of
software which customizers will actually inspect on a regular basis);
[if you still don't trust us, look around, be our guest...]

- if you don't trust the packagers, everything thing is there to build
your own binary.
[probably prudent to do that anyway]

see also paraview.org's website

2c,
Hamish

On Feb 9, 2009, at 12:51 AM, Moritz Lennert wrote:

On 09/02/09 08:32, Hamish wrote:

Michael:

I also want to note that while a multi-package over-the-internet
installer is perfectly normal in the Linux world, it is not the
norm either for Mac or Windows.

Maybe we can go in this direction:

http://blog.qgis.org/node/124

This would be a way to combine both approaches.

Michael