Gentoo Archives: gentoo-dev

From: J Robert Ray <jrray@×××××××××.com>
To: gentoo-dev@g.o
Subject: [gentoo-dev] binary packages, crazy idea
Date: Fri, 30 Aug 2002 08:40:59
2 Hash: SHA1
4 Hi, I have an idea I've been thinking about, I'd like to share it and
5 see anyone thinks there is any merit to it.
7 The goal is to preserve gentoo's customizability but gain the
8 convenience of instantly available binary packages.
10 The problem with binary packages is that they come in one flavor and
11 would ignore your local USE variable settings. Plus, creating separate
12 binary packages for every combination of USE variables would be an
13 enormous, never ending task.
15 My idea is to automate the process of creating binary packages, and turn
16 the installed base of gentoo users into a giant compile farm.
18 When a user goes to emerge a package, first portage would analyze the
19 ebuild to determine what USE variables are used by the package. Then it
20 would build an ordered list of the user's USE variables, limited to only
21 those that are used by this particular package, but indicating if they
22 are enabled or not.
24 To this list of USE variables would be added the gcc version, CHOST,
25 CFLAGS, CXXFLAGS, perhaps portage version, plus what ever else that
26 makes up the uniqueness of the user's configuration. I'm taking a cue
27 from ccache for this.
29 Portage could then take this unique code and check a public server to
30 see if a binary package exists matching this combination. If so, the
31 binary package would be fetched and installed. If not, the package
32 would be compiled locally and then uploaded to the public server.
34 To prevent from malicious tampering, some kind of system would need to
35 be in place to verify that a package hasn't been trojaned or something.
36 ~ The server could wait until it received a certain number of copies of a
37 specific package from unique sources and compare them to see if they are
38 all the same before deciding a package is safe.
40 Security would be the largest stumbling block of this system. I think
41 the most likely system to be safe would be a PGP-like web of trust.
42 Each gentoo installation would generate a set of keys that it would use
43 to sign packages it uploads. Small groups of gentoo users who have the
44 same setup could exchange keys. As the server receives binary packages
45 with the same checksum, it accumulates the keys from the signature.
46 Portage would only then download a package if it has been signed by a
47 key that the user trusts. Of course, if no such key is available, it
48 would build the package locally. If the local binary package matches
49 what is available on the server, this user would sign the binary package
50 available on the server. Optionally, a user to configure his system to
51 accept a binary package after it has been signed by a certain number of
52 keys.
54 I believe the ideal storage facility for such a system is with something
55 like freenet. It is distributed, non-permanent storage where more
56 popular files are longer-lived than infrequently requested files.
57 Assuming the vast majority of gentoo users are using the same default
58 settings for most things, the popular packages would survive
59 indefinately on freenet as long as there are people installing them.
61 A system that took advantage of freenet could upload the binary package
62 to freenet with its md5sum as the key, and submit the package details
63 with key to a central server. Portage would when check with the central
64 server for a key, fetch the package out of freenet with the key, and
65 then install the binary package.
67 That's basically it. Sure, it's a far-fetched idea but I'd to hear what
68 people think about it.
70 - - Robert
72 - --
74 Key fingerprint = BEA9 490C D2B9 AD83 E88B 3148 3136 34E4 BB92 9E54
76 Version: GnuPG v1.0.7 (GNU/Linux)
77 Comment: Using GnuPG with Mozilla -
80 KGbprUFS/QwGRLwygQ0lA44=
81 =FxhM
82 -----END PGP SIGNATURE-----


Subject Author
Re: [gentoo-dev] binary packages, crazy idea "Thomas T. Veldhouse" <veldy@×××××.net>