| 1 |
On Tuesday 24 March 2009 06:41:14 Alec Warner wrote: |
| 2 |
> On Mon, Mar 23, 2009 at 4:24 PM, Philipp Riegger <lists@××××××××××××.de> |
| 3 |
wrote: |
| 4 |
> > On Mon, 23 Mar 2009 08:52:38 +0200 |
| 5 |
> > |
| 6 |
> > mmacleod@××××××××××.za wrote: |
| 7 |
> >><snip> |
| 8 |
> > I'm not sure, if this is the right way to go. I'd prefer some kind of |
| 9 |
> > build server with better configuration and management than exists at |
| 10 |
> > the moment. |
| 11 |
At a very rough calculation for just one build server to hold all packages for |
| 12 |
one architecture with only one use flag combination you are looking at ~0451 |
| 13 |
gigabytes of space. This can be reduced somewhat with difference patches but |
| 14 |
then you are stuck spending vast amount of compute times on the differences |
| 15 |
and still need a fairly vast amount of hard drive space. |
| 16 |
I don't even know how to venture a guess at the compile time for this at the |
| 17 |
moment but I am fairly certain it is completely impractical for now. |
| 18 |
The best that could be achieved with a nice build server would be binaries for |
| 19 |
a small subset of what is in portage. This assumes a good dedicated build |
| 20 |
server is available for such a thing. |
| 21 |
|
| 22 |
My idea can function with no build server, and then incorporate build servers |
| 23 |
as they come along so it can take advantage of both. |
| 24 |
|
| 25 |
In an ideal world Gentoo will have enough build servers to generate them all |
| 26 |
internally and maybe we will get there one day, this idea is scalable so it |
| 27 |
could continue to function with just build servers eventually, however I |
| 28 |
suspect that we are a long way away from having build server capable of this. |
| 29 |
Feel free to correct me if I am wrong on this though. |
| 30 |
> > I'm not sure, if the p2p network is trustworthy enough, |
| 31 |
> > even with your hash stuff. What if a user creates a package with some |
| 32 |
> > backdoor in it? How would you notice that? |
| 33 |
This is just a simple example for now, actual security levels could be more |
| 34 |
complex to be even more effective. |
| 35 |
Imagine however the following three security levels. |
| 36 |
1) Hash contributed by 100 users |
| 37 |
2) Hash contributed by 1000 users |
| 38 |
3) Hash verified by build server(build server verifies packages from level 2 |
| 39 |
based on popularity and/or a list of "important" packages to prefer) |
| 40 |
|
| 41 |
Now if a user creates a package with a back door he will have to trick or |
| 42 |
collaborate with 100 other users in order to get the people on level 1 |
| 43 |
security setting to download his modified sources and compile them all without |
| 44 |
1 other legit user having a clashing hash, the instant there is a clash his |
| 45 |
package will be flagged and action taken. |
| 46 |
This is still possible I admit but highly unlikely, especially if users acting |
| 47 |
as "compile hosts" are randomly selected to verify such packages. |
| 48 |
|
| 49 |
At level 2 security the same thing except now 1000 users all have to agree on |
| 50 |
the package hash. |
| 51 |
Even more unlikely. |
| 52 |
|
| 53 |
At level 3 the package has been compiled by build server itself so the only |
| 54 |
way the package can contain a back door is if the server has been compromised |
| 55 |
or the original sources have been compromised. In this case it is no less |
| 56 |
secure then our current set up where everyone compiles as it would be equally |
| 57 |
hard to compromise the build server as to get a tainted tarball into the |
| 58 |
official portage tree. |
| 59 |
|
| 60 |
The levels above are just examples, the proper scheme would likely contain a |
| 61 |
few more levels as well as a bit more complexity, however it needs more |
| 62 |
thought first and I don't want to get too complex yet, just trying to show the |
| 63 |
basic idea. |
| 64 |
|
| 65 |
I am sure many users would be happy enough with even level 1 security |
| 66 |
packages, I would probably not hesitate to have such packages on my machine. |
| 67 |
For the more paranoid they can wait a bit longer for packages to reach a |
| 68 |
higher level or compile it themselves in the meantime. |
| 69 |
> >> <snip> |
| 70 |
> > |
| 71 |
> > Not sure, if this was already discussed: Usually, software has |
| 72 |
> > versions. Gentoo adds revisions (these -rX endings) to have different |
| 73 |
> > ebuild versions for the same software version. Now, for binary packages |
| 74 |
> > we would need another revision-like addition (because there can be |
| 75 |
> > pkg-foo-1.2.3 linked against lib-bar:1 and linked against lib-bar:2). |
| 76 |
The "Improved binary package support" idea on the wiki as well as the related |
| 77 |
bugzilla thread already cover this as well as possible ways to deal with it. |
| 78 |
> > If I were the buildserver, I would build the new libbar once it is in |
| 79 |
> > the tree and then use revdep-rebuild and emerge @preserved-rebuild to |
| 80 |
> > figure out, what needs to be rebuilt. Then I would rebuild those |
| 81 |
> > packages and increase the, let's call it binary-revision. I'd repeat |
| 82 |
> > that until all was fine (which should be the case after 1 iteration, |
| 83 |
> > most of the time). |
| 84 |
|
| 85 |
> > Another thing: Smaller installations. Maybe you could work on moving |
| 86 |
> > more software out of @system, that for example gcc does not need to be |
| 87 |
> > installed on binary-only hosts. Maybe you could create some |
| 88 |
> > INSTALL_MASK files that would make the system smaller leaving out |
| 89 |
> > headers, maybe static libraries and stuff like that. What would you |
| 90 |
> > think about that one? |
| 91 |
> I think "binary only profile" ? |
| 92 |
A binary profile would definitely be nice, I don't think it is worth |
| 93 |
considering until binaries for most things are largely available first though. |
| 94 |
|
| 95 |
|
| 96 |
Another nice spin off of having these binaries would be improved multilib |
| 97 |
support, portage would need some improvement to handle this, but a 64 bit |
| 98 |
user(for example) could have portage get a 32 bit binary for any package and |
| 99 |
run it instead of needing to rely on the "*-bin" packages and/or chroot when |
| 100 |
no -bin is available. |
Archives