Zerotierone: Fedora official repository

We've tried. We've also tried to get it into Debian. There are numerous problems.

The top issue is that we're a small company and don't have the resources to jump through the many hoops required to babysit official repo packages. We don't have all the time in the world. A secondary and related issue is it means package releases for those distros will lag official releases. Building versions for a ton of distributions and OSes is already painful, but having to coordinate with maintainers adds a whole other layer of work.

Another major issue is the insistence by distributions on not packaging dependencies. This bit us hard when we tried last time. Two dependencies in particular are very problematic. One is the HTTP parser, which is a minimal C http parser and is the same one used in NodeJS. Its API is not stable, so if we depend on distro packages everything breaks when it's updated. It's a library but it's not really intended to be packaged separately and nodeJS always builds it in. The second one is libminiupnpc. The version in many distros has security vulnerabilities but can't be upgraded because the newer ones have breaking API changes that break other apps, and we are not going to use a vulnerable library even if the vulnerabilities are 'minor'. ZeroTier is used in a lot of really high security environments.

We absolutely loathe dependencies in general and try to avoid them whenever possible, but so far we haven't had the time to develop our own upnpc or http parser libraries. In some cases where other library licenses permit we've actually cut/pasted library code for small libraries (LZ4) into ZeroTier itself to get rid of the dependency, but some in distribution packaging teams noticed this and didn't like it.

This is really a much broader problem than our use case. Present dependency management systems are hopelessly behind the current pace and complexity of software development. I'm not aware of a single dependency management system anywhere that gets it right. This is why you see the popularity of Docker (which treats tar'ed up Linux distributions like binaries) and Go's practice of statically linking everything except libc. Dependencies are an area of CS/IT that desperately needs serious work.

@tim77 NixPkgs contains a package that will run on pretty much all versions of Linux, including Fedora: https://github.com/NixOS/nixpkgs/blob/13491ba611b0c69e666c5e667b388e0ab56c069e/pkgs/tools/networking/zerotierone/default.nix.

@adamierymenko There are more package maintainers who just provide a Nix expression these days and call it a day. There are minor arguments (it costs some disk space) against Nix, but many in favor of Nix.

When you use Nix, you can specify exact dependencies once and nothing will change as long as the underlying sources remain available, which in practice works very well. In your case, NixPkgs already has packages ZeroTier and you could also become the official maintainer for that package, although the project doesn't need that.

The dependencies problem has been arguably solved in a CS sense in Nix on Linux at least for at least a decade. It's just that a decade ago using Nix was less practical.

Regarding copying and pasting code, no we don't like that, because it makes systems run less efficient, longer compilation times, and has higher maintenance costs for various reasons.

I don't know about the status of OpenBSD regarding Nix,but there is some FreeBSD support. I think at some point, the OpenBSD community should just port Nix and give up on their inferior package management system.

@adamierymenko perhaps modules could solve this problem?

As a reference, there is/was an open review request for Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1352169