1 |
On Tuesday 24 March 2009 06:41:14 Alec Warner wrote: |
2 |
> On Mon, Mar 23, 2009 at 4:24 PM, Philipp Riegger <lists@××××××××××××.de> |
3 |
wrote: |
4 |
> > On Mon, 23 Mar 2009 08:52:38 +0200 |
5 |
> > |
6 |
> > mmacleod@××××××××××.za wrote: |
7 |
> >><snip> |
8 |
> > I'm not sure, if this is the right way to go. I'd prefer some kind of |
9 |
> > build server with better configuration and management than exists at |
10 |
> > the moment. |
11 |
At a very rough calculation for just one build server to hold all packages for |
12 |
one architecture with only one use flag combination you are looking at ~0451 |
13 |
gigabytes of space. This can be reduced somewhat with difference patches but |
14 |
then you are stuck spending vast amount of compute times on the differences |
15 |
and still need a fairly vast amount of hard drive space. |
16 |
I don't even know how to venture a guess at the compile time for this at the |
17 |
moment but I am fairly certain it is completely impractical for now. |
18 |
The best that could be achieved with a nice build server would be binaries for |
19 |
a small subset of what is in portage. This assumes a good dedicated build |
20 |
server is available for such a thing. |
21 |
|
22 |
My idea can function with no build server, and then incorporate build servers |
23 |
as they come along so it can take advantage of both. |
24 |
|
25 |
In an ideal world Gentoo will have enough build servers to generate them all |
26 |
internally and maybe we will get there one day, this idea is scalable so it |
27 |
could continue to function with just build servers eventually, however I |
28 |
suspect that we are a long way away from having build server capable of this. |
29 |
Feel free to correct me if I am wrong on this though. |
30 |
> > I'm not sure, if the p2p network is trustworthy enough, |
31 |
> > even with your hash stuff. What if a user creates a package with some |
32 |
> > backdoor in it? How would you notice that? |
33 |
This is just a simple example for now, actual security levels could be more |
34 |
complex to be even more effective. |
35 |
Imagine however the following three security levels. |
36 |
1) Hash contributed by 100 users |
37 |
2) Hash contributed by 1000 users |
38 |
3) Hash verified by build server(build server verifies packages from level 2 |
39 |
based on popularity and/or a list of "important" packages to prefer) |
40 |
|
41 |
Now if a user creates a package with a back door he will have to trick or |
42 |
collaborate with 100 other users in order to get the people on level 1 |
43 |
security setting to download his modified sources and compile them all without |
44 |
1 other legit user having a clashing hash, the instant there is a clash his |
45 |
package will be flagged and action taken. |
46 |
This is still possible I admit but highly unlikely, especially if users acting |
47 |
as "compile hosts" are randomly selected to verify such packages. |
48 |
|
49 |
At level 2 security the same thing except now 1000 users all have to agree on |
50 |
the package hash. |
51 |
Even more unlikely. |
52 |
|
53 |
At level 3 the package has been compiled by build server itself so the only |
54 |
way the package can contain a back door is if the server has been compromised |
55 |
or the original sources have been compromised. In this case it is no less |
56 |
secure then our current set up where everyone compiles as it would be equally |
57 |
hard to compromise the build server as to get a tainted tarball into the |
58 |
official portage tree. |
59 |
|
60 |
The levels above are just examples, the proper scheme would likely contain a |
61 |
few more levels as well as a bit more complexity, however it needs more |
62 |
thought first and I don't want to get too complex yet, just trying to show the |
63 |
basic idea. |
64 |
|
65 |
I am sure many users would be happy enough with even level 1 security |
66 |
packages, I would probably not hesitate to have such packages on my machine. |
67 |
For the more paranoid they can wait a bit longer for packages to reach a |
68 |
higher level or compile it themselves in the meantime. |
69 |
> >> <snip> |
70 |
> > |
71 |
> > Not sure, if this was already discussed: Usually, software has |
72 |
> > versions. Gentoo adds revisions (these -rX endings) to have different |
73 |
> > ebuild versions for the same software version. Now, for binary packages |
74 |
> > we would need another revision-like addition (because there can be |
75 |
> > pkg-foo-1.2.3 linked against lib-bar:1 and linked against lib-bar:2). |
76 |
The "Improved binary package support" idea on the wiki as well as the related |
77 |
bugzilla thread already cover this as well as possible ways to deal with it. |
78 |
> > If I were the buildserver, I would build the new libbar once it is in |
79 |
> > the tree and then use revdep-rebuild and emerge @preserved-rebuild to |
80 |
> > figure out, what needs to be rebuilt. Then I would rebuild those |
81 |
> > packages and increase the, let's call it binary-revision. I'd repeat |
82 |
> > that until all was fine (which should be the case after 1 iteration, |
83 |
> > most of the time). |
84 |
|
85 |
> > Another thing: Smaller installations. Maybe you could work on moving |
86 |
> > more software out of @system, that for example gcc does not need to be |
87 |
> > installed on binary-only hosts. Maybe you could create some |
88 |
> > INSTALL_MASK files that would make the system smaller leaving out |
89 |
> > headers, maybe static libraries and stuff like that. What would you |
90 |
> > think about that one? |
91 |
> I think "binary only profile" ? |
92 |
A binary profile would definitely be nice, I don't think it is worth |
93 |
considering until binaries for most things are largely available first though. |
94 |
|
95 |
|
96 |
Another nice spin off of having these binaries would be improved multilib |
97 |
support, portage would need some improvement to handle this, but a 64 bit |
98 |
user(for example) could have portage get a 32 bit binary for any package and |
99 |
run it instead of needing to rely on the "*-bin" packages and/or chroot when |
100 |
no -bin is available. |