To follow up on this thread from a few months ago, the biggest issue here is that you can't unmerge what you've merged. This means you can't uninstall anything, and you can't switch from an unstable version of an app back to the stable version even if there were no state changes. You've lost the info that any particular file is associated with an upstream desk, so you don't know how to remove it.
A possible solution is to mark each file with an upstream source desk. Then, "uninstalling" is removing each of those files.
I suspect a better solution is to make %home be a "view" of several desks. In other words, it's a continual merge of several source desks, such as sponsor/%kids, our/%local, ~middev/%srrs, etc. If there's a conflict it rejects the update, and you could specify the merge strategy; for example, you probably don't want 3rd party code touching files they didn't introduce.
To uninstall, you simply remove one of the source desks. It's conceivable this could fail by introducing a conflict between the remaining desks, but it's unlikely. If it did, it would generally be because one of the remaining desks depended on the the desk you removed, even if that dependency wasn't explicit. In that case, removing the one without the other must either fail or break the invariant that "everything works".
If this is indeed the answer, then there are only two infrastructural tasks required for "safe", generic software distribution:
- Implement "view" desks as described above
- Implement a way to remove apps and/or make them dormant (i.e. resolved to vases of their state, so they can be resuscitated in future if desired), as described in the original distribution.txt.
"Safe" means the act of installing software won't wreck your ship. However, you're running 3rd party code, and *that* can wreck your ship any number of ways. But if you trust the author, you're probably fine. This is far better than our current situation, where no matter how much you trust that the author has your best interests at heart, you shouldn't install 3rd party software if you care about reliability.
UX-wise, we need utilities to:
- See and modify what desks are "installed" and with what configuration (merge order, merge strategies, associatd apps/files, etc)
- See which source desks are up to date with your base distribution. For example, it's useful to see that a 3rd party desk is not up-to-date yet with the new base OTA.
- Suspend a source desk until it gets up-to-date. This should put all its apps to sleep and automatically turn them back on when they get the base OTA.