1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Hi, I have an idea I've been thinking about, I'd like to share it and |
5 |
see anyone thinks there is any merit to it. |
6 |
|
7 |
The goal is to preserve gentoo's customizability but gain the |
8 |
convenience of instantly available binary packages. |
9 |
|
10 |
The problem with binary packages is that they come in one flavor and |
11 |
would ignore your local USE variable settings. Plus, creating separate |
12 |
binary packages for every combination of USE variables would be an |
13 |
enormous, never ending task. |
14 |
|
15 |
My idea is to automate the process of creating binary packages, and turn |
16 |
the installed base of gentoo users into a giant compile farm. |
17 |
|
18 |
When a user goes to emerge a package, first portage would analyze the |
19 |
ebuild to determine what USE variables are used by the package. Then it |
20 |
would build an ordered list of the user's USE variables, limited to only |
21 |
those that are used by this particular package, but indicating if they |
22 |
are enabled or not. |
23 |
|
24 |
To this list of USE variables would be added the gcc version, CHOST, |
25 |
CFLAGS, CXXFLAGS, perhaps portage version, plus what ever else that |
26 |
makes up the uniqueness of the user's configuration. I'm taking a cue |
27 |
from ccache for this. |
28 |
|
29 |
Portage could then take this unique code and check a public server to |
30 |
see if a binary package exists matching this combination. If so, the |
31 |
binary package would be fetched and installed. If not, the package |
32 |
would be compiled locally and then uploaded to the public server. |
33 |
|
34 |
To prevent from malicious tampering, some kind of system would need to |
35 |
be in place to verify that a package hasn't been trojaned or something. |
36 |
~ The server could wait until it received a certain number of copies of a |
37 |
specific package from unique sources and compare them to see if they are |
38 |
all the same before deciding a package is safe. |
39 |
|
40 |
Security would be the largest stumbling block of this system. I think |
41 |
the most likely system to be safe would be a PGP-like web of trust. |
42 |
Each gentoo installation would generate a set of keys that it would use |
43 |
to sign packages it uploads. Small groups of gentoo users who have the |
44 |
same setup could exchange keys. As the server receives binary packages |
45 |
with the same checksum, it accumulates the keys from the signature. |
46 |
Portage would only then download a package if it has been signed by a |
47 |
key that the user trusts. Of course, if no such key is available, it |
48 |
would build the package locally. If the local binary package matches |
49 |
what is available on the server, this user would sign the binary package |
50 |
available on the server. Optionally, a user to configure his system to |
51 |
accept a binary package after it has been signed by a certain number of |
52 |
keys. |
53 |
|
54 |
I believe the ideal storage facility for such a system is with something |
55 |
like freenet. It is distributed, non-permanent storage where more |
56 |
popular files are longer-lived than infrequently requested files. |
57 |
Assuming the vast majority of gentoo users are using the same default |
58 |
settings for most things, the popular packages would survive |
59 |
indefinately on freenet as long as there are people installing them. |
60 |
|
61 |
A system that took advantage of freenet could upload the binary package |
62 |
to freenet with its md5sum as the key, and submit the package details |
63 |
with key to a central server. Portage would when check with the central |
64 |
server for a key, fetch the package out of freenet with the key, and |
65 |
then install the binary package. |
66 |
|
67 |
That's basically it. Sure, it's a far-fetched idea but I'd to hear what |
68 |
people think about it. |
69 |
|
70 |
- - Robert |
71 |
|
72 |
- -- |
73 |
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBB929E54 |
74 |
Key fingerprint = BEA9 490C D2B9 AD83 E88B 3148 3136 34E4 BB92 9E54 |
75 |
-----BEGIN PGP SIGNATURE----- |
76 |
Version: GnuPG v1.0.7 (GNU/Linux) |
77 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
78 |
|
79 |
iD8DBQE9b3XqMTY05LuSnlQRAvMWAJwOqQQsfZiJOO9G8TpcD1EOLq9yTACeI8af |
80 |
KGbprUFS/QwGRLwygQ0lA44= |
81 |
=FxhM |
82 |
-----END PGP SIGNATURE----- |