Zero Install

Dr Thomas Leonard [ contact | GPG public key | blog | donations ]

News and current status

Introduction

What is it?

The Zero Install system makes software installation not merely easy, but unnecessary. Users run their applications directly from the Internet from the software author's pages. Caching makes this as fast as running a normal application after the first time, and allows off-line use.

STOP!

Please at least read to the bottom of this page before flaming about how this is like Windows Update/thin-client computing, reinvents APT/autoapt, is slow/inefficient/insecure, doesn't share libraries, requires a fast/always-on net connection, or whatever other misconception you've acquired about Zero Install after reading one paragraph. Thank you.

Show me an example.

Let's say you're looking for a little desktop reminder application. You search Freshmeat.net and find Memo. You open the directory containing Memo (on the remote machine) with your file manager (note the title-bar):

ROX-Filer window showing Memo application on the remote machine

Click on Memo to run it, and it will run. Now, Memo depends on ROX-Lib2, which requires pygtk, which needs python2.2 and GTK+-2, which needs glib, pango and AKT. But that's OK; Memo runs everything it needs directly from the remote machines where they're stored:

GUI progress indicator

When you ran Memo, a progress indicator appeared briefly, showing the download progress. If you quit Memo and run it again, it will start instantly, because the Zero Install system has cached everything locally.

Note that the progress display and downloading are not performed by the file manager; the filer sees this as an ordinary directory. The Zero Install system automatically cached the remote resources when they were accessed. You could have run Memo from a shell prompt, and it would have worked just as well.

Key points

  • Software is only ever cached, not installed. Anyone can run any software, and nothing is run as root.
  • Running a program is done in the same way whether it's cached or not.
  • Running cached software is as fast as running traditionally-installed software.
  • Zero Install is both simpler and more secure than traditional packaging systems.
  • Software can be removed from the cache to free space without affecting the behaviour of the system (it will be re-cached on demand).
  • You can still run a program you cached last week, without using the net again.

What about package management systems like APT?

These require a central authority to maintain the database. For example, you can't install Memo using APT, because Debian don't package it. The best an author can do is provide Debian .deb packages on the site. But then the user still has to do the manual dependency resolution above for everything not in Debian's system (some people have suggested setting up additional APT repositories: I'd consider that adding all the required third-party repositories to sources.list still counts as 'manual').

They are also fragile; if the user deletes managed files then the system may stop working. However, a user can remove any part of the Zero Install cache at any time, and it will simply be fetched again if it's needed later.

Also, a user installing from a .deb, .rpm, etc still has to enter the root password and run a script as root. This is inconvenient and a security risk. Zero Install allows users to run software without root privileges.

See the comparison with other systems document for a more detailed list of the advantages of Zero Install.

Isn't running stuff off the net a security risk?

Isn't that where you get your software from anyway? Zero Install automatically performs a number of checks for you (such as checking MD5 sums and GPG signatures), and since it doesn't run any of the remote code as root, you can try software out safely as a 'guest' user. Once downloaded, the programs are run from the cache, without even checking the original sites for updates (you have to tell it to update manually).

To be absolutely clear about this: you're running the same code that you would have run anyway, but you're running it as a user instead of running it as root. How much of an advantage this is depends on whether you have multiple users and whether you use any sandboxing. However, it's never less secure, which is what many people seem to imagine.

See the security model document for more information about security in Zero Install.

Can I try it out?

Although the system makes installing other software very easy, the Zero Install system itself still requires some work to install. Please read this:

Is it fully working yet?

Pretty much. The main issue is how much software is distributed using this method. You can run Memo as shown above, and it will get ROX-Lib and pygtk via Zero Install. However, the other libraries are not yet in Zero Install, so you will need to install GTK, etc, as normal for now.

Support for mirrors needs to be improved, so that you can still download new software even if the original site is down (of course, you can continue to use software that you've already downloaded without needing net access).

Take a look at our tasks list for a list of things being worked on (or things that will be worked on when we get volunteers). We really need lots of volunteers to start packaging some applications (you can distribute them from your own web pages). See the list of supporting sites to see what we've got already.

Do I have to enter the full URI every time I want to run a program?

No, create a shortcut to it instead. For example, you could drag Memo from the window above onto a panel or the desktop background, or set it to load when you log in. You can assign a keyboard shortcut to an application, add it to the Send To menu, bookmark it, stick it on a `Start' menu, put it in PATH, make a shell alias or use any other normal method of making something easier to get to.

What about package conflicts?

When installing RPMs from different sources, they may conflict because they both try to install different files in the same place. This can't happen in Zero Install, because of the URI naming scheme (just like visiting one web page won't stop another one from loading later, even if they have the same title).

Slow down... can we go through this step-by-step?

Sure. It works like this:

  1. Alice opens /uri/0install/gimp.org in her filemanager.
  2. gimp.org isn't in the cache, so Linux asks the Zero Install daemon process (zero-install) to fetch it.
  3. zero-install downloads the index file from the site (http://gimp.org/.0inst-index.tar.bz2 if you must know) and puts the directory structure it describes in the cache.
  4. Alice explores the site in her filemanager, and eventually clicks on gimp.org/Testing/Gimp-1.3.
  5. Gimp-1.3 isn't in the cache, so Linux asks the zero-install daemon to fetch it. zero-install downloads it from a mirror site (checking the MD5 sum against the one in the index to make sure it's genuine) and puts it in the cache.
  6. Gimp-1.3 runs.

Notice that the zero-install daemon didn't run any scripts. It only fetched and extracted some archives into the cache directory. Gimp hasn't been added to any other user's Start menu or similar (it might be on Alice's Start menu now... that's between Alice and the Gimp).

  1. A few days later, Bob (another user on the same computer) opens /uri/0install/gimp.org in his filemanager. Since it's in the cache, it opens instantly.
  2. Bob goes into the Testing directory and clicks on Gimp-1.3. Since it's in the cache, it starts right away without using the network at all.

I dunno... this cache thing sounds complicated...

It's really simple. When you run /uri/0install/abiword.org/abiword, Zero Install stores a copy of it in /var/cache/zero-inst/abiword.org/abiword. The next time you try to run it, Zero Install sees that it's already got a copy, and runs that. If you delete the copy in the cache, it will be refetched next time it's needed. It's really hard to mess up the cache, because if anything is missing it gets refetched. You could even delete everything inside the cache directory, and it will just repopulate itself as you access things.

I have more questions!

Try the FAQ.

More technical readers might want to read the technical details page.

Articles about Zero Install

These have moved to the links page.

Web-site © Copyright 2003-2009 by Thomas Leonard

Permission is granted to use the site (excluding the software, which is licensed separately)
in accordance with the terms of the Creative Commons Attribution-ShareAlike 2.5 license.

Thanks to the University of Southampton for the 0install.net domain name!
Some of the icons are from (or based on icons from) the Tango Desktop Project.

Attribution-ShareAlikeValid CSS!SF logo