Gentoo Archives: gentoo-dev

From: Charles Lacour <Clacour@×××××××××.com>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Re: Gentoo peer-to-peer
Date: Tue, 23 Jul 2002 16:14:24
1 (Apologies for starting a new thread instead of replying to the existing one, but I'm
2 working from the digest.)
4 I had a similar idea to this a few weeks ago; here are some thoughts I came up with on it.
6 As far as binary packages go,
8 I'm not sure there's any need for USE flags to identify the binary. If two different people
9 compile a package to identical binaries, what USE flags they had are completely irrelevant.
10 (Someone might compile a package under another flavor of Linux, for example, in which
11 case there ARE no USE flags.)
13 My thought was to build a string describing the package, then run an md5sum on that. I was
14 thinking of using that as part of the filename, so we might want to create a custom md5sum
15 that would produce a shorter string (6-8 characters, say).
17 As a first pass, here's what I'd put in the string. I am FAR from an expert on compiling things,
18 dependencies, binary compatibility and so forth, so I expect this will need to be modified. I
19 would suggest everyone post the last string they saw, then their own version, and the reasons
20 for the modifications. Hopefully we'll have some deletions (like USE flags) as well as additions.
22 <architecture compiled for> <gcc version> <glibc-version> \
25 The filename would be <package name>-<package version>.<md5sum of string>
27 I think it would be a good idea to also create an md5sum of a tar of the package, after all patches
28 have been applied, and configuration has been done, but before any other action has been taken,
29 and make that a 3rd node of the name. (That should be of the tar before compression, by the way.)
31 That would make the full filename
33 <package name>-<package version>.<md5sum of string>.<md5sum of tar>
35 This serves two functions: it identifies the other half of the variables in what might affect the final
36 binary produced (the first half being the stuff in the first identifier string), and it provides a fairly
37 easy way to verify the binary. One can create a tar of a source directory and run and md5sum on
38 it much faster (in most cases) than one can compile it. One could then compare the md5sum from
39 that to the md5sum in the filename, and if they match, be reasonably confident this isn't spoofed,
40 especially if there are multiple copies of it out there.
44 Some people have objected (none too violently, as yet) to this as being "contrary to the spirit of
45 Gentoo".
47 When I meet the spirit of Gentoo, I'll be sure to ask it what it thinks, and then decide whether
48 I wish to be contrary to it.
50 In the meantime, I'd say the best way to handle this is to give all such people (and anybody else
51 who wants it, for that matter) permission not to use this, any time they like.
53 I'm against giving them permission to forbid anyone who wants to explore this idea from doing so,
54 as giving someone else permission to forbid me from doing things has generally proven to be
55 a bad idea. I mean, look at the last time we did it - we got governments.
58 I like the idea of using this for source as well as binaries; when I'm downloading files from
59 Gnutella and can get 3 or 4 people to download from at once, I can max out my ADSL line.
60 >From a lot of FTP servers, I get a lot less. It would also let me contribute as as server; I have
61 a fixed IP address, but only a 128K uplink. By myself, I'd be a pretty sorry source for much of
62 anything. With 8 or 10 people like me, though, I'd be quite useful.


Subject Author
Re: [gentoo-dev] Re: Gentoo peer-to-peer Alexander Gretencord <arutha@×××.de>