1 |
(Apologies for starting a new thread instead of replying to the existing one, but I'm |
2 |
working from the digest.) |
3 |
|
4 |
I had a similar idea to this a few weeks ago; here are some thoughts I came up with on it. |
5 |
|
6 |
As far as binary packages go, |
7 |
|
8 |
I'm not sure there's any need for USE flags to identify the binary. If two different people |
9 |
compile a package to identical binaries, what USE flags they had are completely irrelevant. |
10 |
(Someone might compile a package under another flavor of Linux, for example, in which |
11 |
case there ARE no USE flags.) |
12 |
|
13 |
My thought was to build a string describing the package, then run an md5sum on that. I was |
14 |
thinking of using that as part of the filename, so we might want to create a custom md5sum |
15 |
that would produce a shorter string (6-8 characters, say). |
16 |
|
17 |
As a first pass, here's what I'd put in the string. I am FAR from an expert on compiling things, |
18 |
dependencies, binary compatibility and so forth, so I expect this will need to be modified. I |
19 |
would suggest everyone post the last string they saw, then their own version, and the reasons |
20 |
for the modifications. Hopefully we'll have some deletions (like USE flags) as well as additions. |
21 |
|
22 |
<architecture compiled for> <gcc version> <glibc-version> \ |
23 |
CFLAGS=$CFLAGS CCFLAGS=$CCFLAGS LDFLAGS=$LDFLAGS |
24 |
|
25 |
The filename would be <package name>-<package version>.<md5sum of string> |
26 |
|
27 |
I think it would be a good idea to also create an md5sum of a tar of the package, after all patches |
28 |
have been applied, and configuration has been done, but before any other action has been taken, |
29 |
and make that a 3rd node of the name. (That should be of the tar before compression, by the way.) |
30 |
|
31 |
That would make the full filename |
32 |
|
33 |
<package name>-<package version>.<md5sum of string>.<md5sum of tar> |
34 |
|
35 |
This serves two functions: it identifies the other half of the variables in what might affect the final |
36 |
binary produced (the first half being the stuff in the first identifier string), and it provides a fairly |
37 |
easy way to verify the binary. One can create a tar of a source directory and run and md5sum on |
38 |
it much faster (in most cases) than one can compile it. One could then compare the md5sum from |
39 |
that to the md5sum in the filename, and if they match, be reasonably confident this isn't spoofed, |
40 |
especially if there are multiple copies of it out there. |
41 |
|
42 |
|
43 |
|
44 |
Some people have objected (none too violently, as yet) to this as being "contrary to the spirit of |
45 |
Gentoo". |
46 |
|
47 |
When I meet the spirit of Gentoo, I'll be sure to ask it what it thinks, and then decide whether |
48 |
I wish to be contrary to it. |
49 |
|
50 |
In the meantime, I'd say the best way to handle this is to give all such people (and anybody else |
51 |
who wants it, for that matter) permission not to use this, any time they like. |
52 |
|
53 |
I'm against giving them permission to forbid anyone who wants to explore this idea from doing so, |
54 |
as giving someone else permission to forbid me from doing things has generally proven to be |
55 |
a bad idea. I mean, look at the last time we did it - we got governments. |
56 |
|
57 |
|
58 |
I like the idea of using this for source as well as binaries; when I'm downloading files from |
59 |
Gnutella and can get 3 or 4 people to download from at once, I can max out my ADSL line. |
60 |
>From a lot of FTP servers, I get a lot less. It would also let me contribute as as server; I have |
61 |
a fixed IP address, but only a 128K uplink. By myself, I'd be a pretty sorry source for much of |
62 |
anything. With 8 or 10 people like me, though, I'd be quite useful. |