View previous topic :: View next topic |
you can poll this. |
its a gooood idea |
|
39% |
[ 41 ] |
no, i dont like it |
|
60% |
[ 62 ] |
|
Total Votes : 103 |
|
Author |
Message |
error26 n00b
Joined: 22 Feb 2003 Posts: 65 Location: Vienna
|
Posted: Thu Feb 19, 2004 12:17 pm Post subject: Vision: Gentoo with P2P Binary Package system |
|
|
If i would have a wish free i would ask the big gentoo fay for a p2p binary package net.
1. you type emerge -p2p kde
2. the fay asks the p2p for compiled bins, they match my useflags (or a certain range of USE-flags).
3. as for every gentoo user is part of the magic p2p net, i will retrive my bins in a second.
4. i am happy
what do you thin about. i know there are issues like Cflags but i dont care mutch about them. |
|
Back to top |
|
|
Boris27 Guru
Joined: 05 Nov 2003 Posts: 562 Location: Almelo, The Netherlands
|
Posted: Thu Feb 19, 2004 12:55 pm Post subject: |
|
|
What about bins with a rootkit of some sort installed? Or an exploit crafted in? I'd rather not have stuff like that on my PC. |
|
Back to top |
|
|
pranyi Apprentice
Joined: 06 Mar 2003 Posts: 293 Location: Germany
|
Posted: Thu Feb 19, 2004 1:05 pm Post subject: |
|
|
I voted good idea. However I have concerns whether it could be reliably and securely solved.
The quality of these packages would be quite questionable, moreover it could open the door for Gentoo-wide viruses and backdoors. (Think about it : a lot of packages would run n priviligized mode!). This would be a risk hard to be ruled out. |
|
Back to top |
|
|
krusty_ar Guru
Joined: 03 Oct 2002 Posts: 560 Location: Rosario, Argentina
|
Posted: Thu Feb 19, 2004 1:56 pm Post subject: |
|
|
How many times will we have to read this idea?
I just have one thing to say: If you REALLY think it can be done, just do it(tm), because everyone else (specially devs) think it's not
And please search the forums before posting
Sorry for the rant, I didn't mean to offend anyone _________________ I am Beta, don't expect correct behaviour from me.
Take part of the adopt an unaswered post initiative |
|
Back to top |
|
|
Roguelazer Veteran
Joined: 10 Feb 2003 Posts: 1233 Location: San Francisco, CA
|
Posted: Thu Feb 19, 2004 4:12 pm Post subject: |
|
|
The security aspects could be handled if the p2p net AND the p2p software had verification. So when something's uploaded, it gets md5checked, and when you download something, it gets md5checked... _________________ Registered Linux User #263260 |
|
Back to top |
|
|
gurke Apprentice
Joined: 10 Jul 2003 Posts: 260
|
Posted: Thu Feb 19, 2004 4:18 pm Post subject: |
|
|
this is rootkits for free, since you cant control the binary code, and there is no way to certify all these packages. grp will be the only way to go, if you want binary packages and security. |
|
Back to top |
|
|
Selecter Tux's lil' helper
Joined: 12 Jan 2004 Posts: 128 Location: Estonia
|
Posted: Thu Feb 19, 2004 4:48 pm Post subject: Re: Vision: Gentoo with P2P Binary Package system |
|
|
error26 wrote: | If i would have a wish free i would ask the big gentoo fay for a p2p binary package net.
1. you type emerge -p2p kde
2. the fay asks the p2p for compiled bins, they match my useflags (or a certain range of USE-flags).
3. as for every gentoo user is part of the magic p2p net, i will retrive my bins in a second.
4. i am happy
what do you thin about. i know there are issues like Cflags but i dont care mutch about them. |
There may be security reasons not to do that. |
|
Back to top |
|
|
pranyi Apprentice
Joined: 06 Mar 2003 Posts: 293 Location: Germany
|
Posted: Thu Feb 19, 2004 5:28 pm Post subject: |
|
|
Roguelazer wrote: | The security aspects could be handled if the p2p net AND the p2p software had verification. So when something's uploaded, it gets md5checked, and when you download something, it gets md5checked... |
How does it help? |
|
Back to top |
|
|
Roguelazer Veteran
Joined: 10 Feb 2003 Posts: 1233 Location: San Francisco, CA
|
Posted: Thu Feb 19, 2004 5:39 pm Post subject: |
|
|
Well, if users were forced to submit their files in, say, .tar.gz format, and some kind person was to create every possible file and get its md5sum, then we'd be able to assure the authenticity... _________________ Registered Linux User #263260 |
|
Back to top |
|
|
gurke Apprentice
Joined: 10 Jul 2003 Posts: 260
|
Posted: Thu Feb 19, 2004 6:18 pm Post subject: |
|
|
Roguelazer wrote: | The security aspects could be handled if the p2p net AND the p2p software had verification. So when something's uploaded, it gets md5checked, and when you download something, it gets md5checked... |
someone would need to review and test all packages _by hand_, to ensure there are no backdoors, etc. and then generate those md5sums. this will not work out, since there too much combinations of cflags and useflags. |
|
Back to top |
|
|
Roguelazer Veteran
Joined: 10 Feb 2003 Posts: 1233 Location: San Francisco, CA
|
Posted: Thu Feb 19, 2004 6:21 pm Post subject: |
|
|
The poster said he didn't care about cflags... I think what he wants is for grp packages to be distributed over p2p, all with standard cflags and use flags, just like what gentoo ships on the GRP cd. Bittorrent would probably be better, though... _________________ Registered Linux User #263260 |
|
Back to top |
|
|
SB n00b
Joined: 12 Jan 2004 Posts: 74 Location: At The Bar!
|
Posted: Sat Feb 21, 2004 2:05 am Post subject: |
|
|
Nope,
Quote: | 2. the fay asks the p2p for compiled bins, they match my useflags (or a certain range of USE-flags). |
Since the binaries will differ depending on the compiler used as well as USE flags - the possible combinations for one binary file alone are horrific. As for CFLAGS, well, they are important because if they don't match and backward compatibility isn't set then it won't run.
I personally don't like the idea at all, the concept of someone else unknown compiling a binary to run on my system just doesn't seem to make sense. After all, is this kind volunteer going to test every package to make sure there are no exploits embedded in it? That little httpd binary could have all manner of extra 'features'
Emerging a package doesn't take very long, with some exceptions of course. You can always set the niceness down and run it in the background whilst you work, or even use another PC or distcc to compile the packages. _________________ SB
"The gene pool could use a little chlorine..." |
|
Back to top |
|
|
NuclearFusi0n Apprentice
Joined: 20 Jun 2003 Posts: 297
|
Posted: Sat Feb 21, 2004 2:18 am Post subject: |
|
|
If your security arguments held any weight, there would exist no distribution that uses binary packages.
I would think the point would be for Gentoo or gentoo maintainers to create the binary packages using generic CFLAGS and average USE flags, store the md5sum in a central database, and let the packages crawl p2p if they don't want to dedicate server space for them. _________________ I will keel yoo grub |
|
Back to top |
|
|
SB n00b
Joined: 12 Jan 2004 Posts: 74 Location: At The Bar!
|
Posted: Sat Feb 21, 2004 2:25 am Post subject: |
|
|
But isn't Gentoo a source-based distribution? If you start doing everything with binaries, well it just wouldn't be Gentoo anymore
Binary packages for other distributions are built and tested by a trusted source. If you were a redhat user for example, would you download a RPM of ProFTPD of Apache from www.getyabinshere.com without any concern, or would you rather get it from updates.redhat.com?
The original poster wanted end-user compiled binaries because he wanted ones that matched, or closely matched his USE flags. Peoples USE flags range so widely that either packages would have to be built with masses of USE flags - think compiling in gnome, gtk, kde, qt, oss, alsa support etc... or they would have to build many packages.
As for CFLAGS, well, don't you like having CPU optimisations?
What you're talking about is a P2P fron end for GRP which I would think is different to the original suggestion. Think about the admin overhead on this as well - Gentoo would have to dedicate an entire team to just building and testing binary packages! _________________ SB
"The gene pool could use a little chlorine..." |
|
Back to top |
|
|
NuclearFusi0n Apprentice
Joined: 20 Jun 2003 Posts: 297
|
Posted: Sat Feb 21, 2004 4:38 am Post subject: |
|
|
SB wrote: | But isn't Gentoo a source-based distribution? If you start doing everything with binaries, well it just wouldn't be Gentoo anymore
Binary packages for other distributions are built and tested by a trusted source. If you were a redhat user for example, would you download a RPM of ProFTPD of Apache from www.getyabinshere.com without any concern, or would you rather get it from updates.redhat.com?
The original poster wanted end-user compiled binaries because he wanted ones that matched, or closely matched his USE flags. Peoples USE flags range so widely that either packages would have to be built with masses of USE flags - think compiling in gnome, gtk, kde, qt, oss, alsa support etc... or they would have to build many packages.
As for CFLAGS, well, don't you like having CPU optimisations?
What you're talking about is a P2P fron end for GRP which I would think is different to the original suggestion. Think about the admin overhead on this as well - Gentoo would have to dedicate an entire team to just building and testing binary packages! |
ah, but isn't Gentoo also about choice? Although I wouldn't use it, I think binary packages available in portage is a great idea that could really help create a great distro. The only reason I don't use Gentoo on slow boxes is the compliation time, and I have been unable to find a distro as good as Gentoo. Gentoo + binary packages = yowza for weak boxes.
but like you said, they would have to be created by a trusted source, and I'm sure the work to do that would take time. Perhaps we could start out small, with binary packages available for only those packages that really need it (OpenOffice, Evolution, KDE/GNOME, Mozilla, GCC, Glibc, etc.) (Isn't this what GRP is already? Forgive me, I've never dealt with GRP and barely know what it is) and start a volunteer effort to get more binary packages available until people mostly have the choice to choose between source or binary.
Debian's user base might shrink a bit though. _________________ I will keel yoo grub |
|
Back to top |
|
|
EvilTwinSkippy n00b
Joined: 20 Feb 2003 Posts: 63 Location: Philadelphia, PA
|
Posted: Sun Feb 29, 2004 2:34 am Post subject: Let this concept DIE! |
|
|
For the last time. Gentoo is a METADISTRIBUTION. It's designed to provide the smallest number of design decisions possible. Once you start mucking around with selecting packages and configuring USE flags and CFLAGS it's pretty much your distro.
Now, if someone wants to go off and spawn their own distro as a binary offshoot of Gentoo, great. We would have one for the GNOME people, one for the KDE people, one for the folks who can't make up their mind, one for the folks who want no X on the machine at all, and one for the folks who insist on using Matchbox, or XFCE.
Which one of those groups you are in radically changes what packages need to be installed and maintained for your system. And you can't make everyone happy. And looking around bugzilla, it's not like the Gentoo team is sitting around looking for neat things to do. They have a hard enough time keeping up with the source-based packages.
In the meantime, get a little clique, some web space, a mascot and a slogan. I have dibs on Tao Linux. _________________ I've found that people will take what you say more seriously if you tell them Ben Franklin said it first. |
|
Back to top |
|
|
Rastagromit n00b
Joined: 06 Mar 2003 Posts: 12 Location: Longview, Texas
|
Posted: Sun Feb 29, 2004 2:47 am Post subject: |
|
|
A vision, eh?
*looks at gentoo-binaries distro*
MY EYES! The goggles! they do nothing!
_________________ [B]ut the undertaking was impossible from the very beginning and of all the impossible ways of carrying it out, this was the least interesting.
---Jorge Luis Borges, "Pierre Menard, author of the Quixote" |
|
Back to top |
|
|
blaksaga Guru
Joined: 19 May 2003 Posts: 461 Location: Omaha, NE, USA
|
|
Back to top |
|
|
Skorgu n00b
Joined: 10 Sep 2003 Posts: 39
|
Posted: Tue Aug 24, 2004 10:31 am Post subject: |
|
|
*Disclaimer: I stumbled upon this poll on an unrelated search and have done no research on it. This may have all been said already. If so, just ignore it.
Guys (and gals) this isn't as bad an idea as it seems.
This is exactly the application that the whole key-signing Web Of Trust thingie that PGP and GPG are designed to implement.
Let's say I, Al, have a machine that I built. Its an ~x86 uber-hardcore dev box with love-sources (or whatever its called these days), and runs Reiser4. Nifty. Now let's say Bill, whom I know In Real Life, wants to build a new box. He can, and will, want to tweak and recompile and fiddle with his system, that's why he's using Gentoo. But he also doesn't want to wait three days for KDE to compile (bah, real men use FVWM anyway...), he wants to get his system up and running NOW and fiddle later.
This, admittedly convenient situation is a tailor-made example of where a p2p binary distribution network is incredibly useful.
What I do is share my tbz2'd binary packages of everything to the world. They're all signed with my PGP/GPG key. This PGP/GPG key is posted somewhere else for duplication and alternate-venue reasons, but its also available right next to the binaries in the share.
Now Bill can call me up, get my signature and verify all those packages. A well-implemented application will let him just put my public key into /etc/portage/users.trusted and it will Just Work. In fact, once he downloads them and shares them himself, they will get signed by him as well.
Now let's say Charlie wants a similar system. He knows Bill but not me. If he downloads Bill's packages because he trusts Bill. Now he also has a (depreciated) level of trust for my packages, since I provided them originally. He may then download the packages from both of us, as they're identical. In the future, he may chose to trust my releases even if they're not signed by Bill, as I've 'proven' myself to him.
Again, the specific math is harder than this general overview, but the point is the trust issue can be resolved. Individual packages won't last long enough for them to build up a web of trust all by themselves, but since lots of ebuilds are update early update often, the web will form quickly.
Of course this revolves around people having and using PGP/GPG and not forgetting their passphrases...which is unlikely.
GRP is obviously for the less bleeding edge users, but if you're not a bleeding-edge user, shouldn't you be running debian?
There is a place for binary packages, and there can be a place for p2p/distributed binary packages (or even sources! rss+bittorrent are god!). Just canning it out of hand is silly. As someone already said, Gentoo is about choice. _________________ "I paid for four wheels, make 'em all drive" |
|
Back to top |
|
|
yngwin Retired Dev
Joined: 19 Dec 2002 Posts: 4572 Location: Suzhou, China
|
Posted: Wed Aug 25, 2004 11:27 am Post subject: |
|
|
There are just too many variables to make this feasible, even apart from the security issues. I choose Gentoo because I can compile from source, optimizing for my machine and my chosen options. If I wanted binaries, there are enough distros that offer that... _________________ "Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF |
|
Back to top |
|
|
plbe l33t
Joined: 01 May 2004 Posts: 661
|
Posted: Wed Aug 25, 2004 2:09 pm Post subject: |
|
|
I will always install from source given a choice, I used freebsd for 3 years and always installed via source rather then packages. Theres nothing wrong with installing binaries if its from a trusted source p2p sounds to risky imho. I say if you want to do it take a look at how freebsd does things afterall portage follows in the footsteps of freebsd ports so you might as well do what works |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|