| 1 |
(Apologies for starting a new thread instead of replying to the existing one, but I'm |
| 2 |
working from the digest.) |
| 3 |
|
| 4 |
I had a similar idea to this a few weeks ago; here are some thoughts I came up with on it. |
| 5 |
|
| 6 |
As far as binary packages go, |
| 7 |
|
| 8 |
I'm not sure there's any need for USE flags to identify the binary. If two different people |
| 9 |
compile a package to identical binaries, what USE flags they had are completely irrelevant. |
| 10 |
(Someone might compile a package under another flavor of Linux, for example, in which |
| 11 |
case there ARE no USE flags.) |
| 12 |
|
| 13 |
My thought was to build a string describing the package, then run an md5sum on that. I was |
| 14 |
thinking of using that as part of the filename, so we might want to create a custom md5sum |
| 15 |
that would produce a shorter string (6-8 characters, say). |
| 16 |
|
| 17 |
As a first pass, here's what I'd put in the string. I am FAR from an expert on compiling things, |
| 18 |
dependencies, binary compatibility and so forth, so I expect this will need to be modified. I |
| 19 |
would suggest everyone post the last string they saw, then their own version, and the reasons |
| 20 |
for the modifications. Hopefully we'll have some deletions (like USE flags) as well as additions. |
| 21 |
|
| 22 |
<architecture compiled for> <gcc version> <glibc-version> \ |
| 23 |
CFLAGS=$CFLAGS CCFLAGS=$CCFLAGS LDFLAGS=$LDFLAGS |
| 24 |
|
| 25 |
The filename would be <package name>-<package version>.<md5sum of string> |
| 26 |
|
| 27 |
I think it would be a good idea to also create an md5sum of a tar of the package, after all patches |
| 28 |
have been applied, and configuration has been done, but before any other action has been taken, |
| 29 |
and make that a 3rd node of the name. (That should be of the tar before compression, by the way.) |
| 30 |
|
| 31 |
That would make the full filename |
| 32 |
|
| 33 |
<package name>-<package version>.<md5sum of string>.<md5sum of tar> |
| 34 |
|
| 35 |
This serves two functions: it identifies the other half of the variables in what might affect the final |
| 36 |
binary produced (the first half being the stuff in the first identifier string), and it provides a fairly |
| 37 |
easy way to verify the binary. One can create a tar of a source directory and run and md5sum on |
| 38 |
it much faster (in most cases) than one can compile it. One could then compare the md5sum from |
| 39 |
that to the md5sum in the filename, and if they match, be reasonably confident this isn't spoofed, |
| 40 |
especially if there are multiple copies of it out there. |
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
Some people have objected (none too violently, as yet) to this as being "contrary to the spirit of |
| 45 |
Gentoo". |
| 46 |
|
| 47 |
When I meet the spirit of Gentoo, I'll be sure to ask it what it thinks, and then decide whether |
| 48 |
I wish to be contrary to it. |
| 49 |
|
| 50 |
In the meantime, I'd say the best way to handle this is to give all such people (and anybody else |
| 51 |
who wants it, for that matter) permission not to use this, any time they like. |
| 52 |
|
| 53 |
I'm against giving them permission to forbid anyone who wants to explore this idea from doing so, |
| 54 |
as giving someone else permission to forbid me from doing things has generally proven to be |
| 55 |
a bad idea. I mean, look at the last time we did it - we got governments. |
| 56 |
|
| 57 |
|
| 58 |
I like the idea of using this for source as well as binaries; when I'm downloading files from |
| 59 |
Gnutella and can get 3 or 4 people to download from at once, I can max out my ADSL line. |
| 60 |
>From a lot of FTP servers, I get a lot less. It would also let me contribute as as server; I have |
| 61 |
a fixed IP address, but only a 128K uplink. By myself, I'd be a pretty sorry source for much of |
| 62 |
anything. With 8 or 10 people like me, though, I'd be quite useful. |
Archives