| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Hi, I have an idea I've been thinking about, I'd like to share it and |
| 5 |
see anyone thinks there is any merit to it. |
| 6 |
|
| 7 |
The goal is to preserve gentoo's customizability but gain the |
| 8 |
convenience of instantly available binary packages. |
| 9 |
|
| 10 |
The problem with binary packages is that they come in one flavor and |
| 11 |
would ignore your local USE variable settings. Plus, creating separate |
| 12 |
binary packages for every combination of USE variables would be an |
| 13 |
enormous, never ending task. |
| 14 |
|
| 15 |
My idea is to automate the process of creating binary packages, and turn |
| 16 |
the installed base of gentoo users into a giant compile farm. |
| 17 |
|
| 18 |
When a user goes to emerge a package, first portage would analyze the |
| 19 |
ebuild to determine what USE variables are used by the package. Then it |
| 20 |
would build an ordered list of the user's USE variables, limited to only |
| 21 |
those that are used by this particular package, but indicating if they |
| 22 |
are enabled or not. |
| 23 |
|
| 24 |
To this list of USE variables would be added the gcc version, CHOST, |
| 25 |
CFLAGS, CXXFLAGS, perhaps portage version, plus what ever else that |
| 26 |
makes up the uniqueness of the user's configuration. I'm taking a cue |
| 27 |
from ccache for this. |
| 28 |
|
| 29 |
Portage could then take this unique code and check a public server to |
| 30 |
see if a binary package exists matching this combination. If so, the |
| 31 |
binary package would be fetched and installed. If not, the package |
| 32 |
would be compiled locally and then uploaded to the public server. |
| 33 |
|
| 34 |
To prevent from malicious tampering, some kind of system would need to |
| 35 |
be in place to verify that a package hasn't been trojaned or something. |
| 36 |
~ The server could wait until it received a certain number of copies of a |
| 37 |
specific package from unique sources and compare them to see if they are |
| 38 |
all the same before deciding a package is safe. |
| 39 |
|
| 40 |
Security would be the largest stumbling block of this system. I think |
| 41 |
the most likely system to be safe would be a PGP-like web of trust. |
| 42 |
Each gentoo installation would generate a set of keys that it would use |
| 43 |
to sign packages it uploads. Small groups of gentoo users who have the |
| 44 |
same setup could exchange keys. As the server receives binary packages |
| 45 |
with the same checksum, it accumulates the keys from the signature. |
| 46 |
Portage would only then download a package if it has been signed by a |
| 47 |
key that the user trusts. Of course, if no such key is available, it |
| 48 |
would build the package locally. If the local binary package matches |
| 49 |
what is available on the server, this user would sign the binary package |
| 50 |
available on the server. Optionally, a user to configure his system to |
| 51 |
accept a binary package after it has been signed by a certain number of |
| 52 |
keys. |
| 53 |
|
| 54 |
I believe the ideal storage facility for such a system is with something |
| 55 |
like freenet. It is distributed, non-permanent storage where more |
| 56 |
popular files are longer-lived than infrequently requested files. |
| 57 |
Assuming the vast majority of gentoo users are using the same default |
| 58 |
settings for most things, the popular packages would survive |
| 59 |
indefinately on freenet as long as there are people installing them. |
| 60 |
|
| 61 |
A system that took advantage of freenet could upload the binary package |
| 62 |
to freenet with its md5sum as the key, and submit the package details |
| 63 |
with key to a central server. Portage would when check with the central |
| 64 |
server for a key, fetch the package out of freenet with the key, and |
| 65 |
then install the binary package. |
| 66 |
|
| 67 |
That's basically it. Sure, it's a far-fetched idea but I'd to hear what |
| 68 |
people think about it. |
| 69 |
|
| 70 |
- - Robert |
| 71 |
|
| 72 |
- -- |
| 73 |
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBB929E54 |
| 74 |
Key fingerprint = BEA9 490C D2B9 AD83 E88B 3148 3136 34E4 BB92 9E54 |
| 75 |
-----BEGIN PGP SIGNATURE----- |
| 76 |
Version: GnuPG v1.0.7 (GNU/Linux) |
| 77 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 78 |
|
| 79 |
iD8DBQE9b3XqMTY05LuSnlQRAvMWAJwOqQQsfZiJOO9G8TpcD1EOLq9yTACeI8af |
| 80 |
KGbprUFS/QwGRLwygQ0lA44= |
| 81 |
=FxhM |
| 82 |
-----END PGP SIGNATURE----- |
Archives