Vision: Gentoo with P2P Binary Package system

[error26]

If i would have a wish free i would ask the big gentoo fay for a p2p binary package net.

1. you type emerge -p2p kde
2. the fay asks the p2p for compiled bins, they match my useflags (or a certain range of USE-flags).
3. as for every gentoo user is part of the magic p2p net, i will retrive my bins in a second.
4. i am happy

what do you thin about. i know there are issues like Cflags but i dont care mutch about them.

[Boris27]

What about bins with a rootkit of some sort installed? Or an exploit crafted in? I'd rather not have stuff like that on my PC.

[pranyi]

I voted good idea. However I have concerns whether it could be reliably and securely solved.

The quality of these packages would be quite questionable, moreover it could open the door for Gentoo-wide viruses and backdoors. (Think about it : a lot of packages would run n priviligized mode!). This would be a risk hard to be ruled out.

[krusty_ar]

How many times will we have to read this idea?

I just have one thing to say: If you REALLY think it can be done, just do it(tm), because everyone else (specially devs) think it's not

And please search the forums before posting


Sorry for the rant, I didn't mean to offend anyone
_________________
I am Beta, don't expect correct behaviour from me.
Take part of the adopt an unaswered post initiative

[Roguelazer]

The security aspects could be handled if the p2p net AND the p2p software had verification. So when something's uploaded, it gets md5checked, and when you download something, it gets md5checked...
_________________
Registered Linux User #263260

[gurke]

this is rootkits for free, since you cant control the binary code, and there is no way to certify all these packages. grp will be the only way to go, if you want binary packages and security.

[Selecter]

[pranyi]

[Roguelazer]

Well, if users were forced to submit their files in, say, .tar.gz format, and some kind person was to create every possible file and get its md5sum, then we'd be able to assure the authenticity...
_________________
Registered Linux User #263260

[gurke]

[Roguelazer]

The poster said he didn't care about cflags... I think what he wants is for grp packages to be distributed over p2p, all with standard cflags and use flags, just like what gentoo ships on the GRP cd. Bittorrent would probably be better, though...
_________________
Registered Linux User #263260

[SB]

Nope,

[NuclearFusi0n]

If your security arguments held any weight, there would exist no distribution that uses binary packages.

I would think the point would be for Gentoo or gentoo maintainers to create the binary packages using generic CFLAGS and average USE flags, store the md5sum in a central database, and let the packages crawl p2p if they don't want to dedicate server space for them.
_________________
I will keel yoo grub

[SB]

But isn't Gentoo a source-based distribution? If you start doing everything with binaries, well it just wouldn't be Gentoo anymore

Binary packages for other distributions are built and tested by a trusted source. If you were a redhat user for example, would you download a RPM of ProFTPD of Apache from www.getyabinshere.com without any concern, or would you rather get it from updates.redhat.com?

The original poster wanted end-user compiled binaries because he wanted ones that matched, or closely matched his USE flags. Peoples USE flags range so widely that either packages would have to be built with masses of USE flags - think compiling in gnome, gtk, kde, qt, oss, alsa support etc... or they would have to build many packages.

As for CFLAGS, well, don't you like having CPU optimisations?

What you're talking about is a P2P fron end for GRP which I would think is different to the original suggestion. Think about the admin overhead on this as well - Gentoo would have to dedicate an entire team to just building and testing binary packages!
_________________
SB

"The gene pool could use a little chlorine..."

[NuclearFusi0n]

[EvilTwinSkippy]

For the last time. Gentoo is a METADISTRIBUTION. It's designed to provide the smallest number of design decisions possible. Once you start mucking around with selecting packages and configuring USE flags and CFLAGS it's pretty much your distro.

Now, if someone wants to go off and spawn their own distro as a binary offshoot of Gentoo, great. We would have one for the GNOME people, one for the KDE people, one for the folks who can't make up their mind, one for the folks who want no X on the machine at all, and one for the folks who insist on using Matchbox, or XFCE.

Which one of those groups you are in radically changes what packages need to be installed and maintained for your system. And you can't make everyone happy. And looking around bugzilla, it's not like the Gentoo team is sitting around looking for neat things to do. They have a hard enough time keeping up with the source-based packages.

In the meantime, get a little clique, some web space, a mascot and a slogan. I have dibs on Tao Linux.
_________________
I've found that people will take what you say more seriously if you tell them Ben Franklin said it first.

[Rastagromit]

A vision, eh?

*looks at gentoo-binaries distro*

MY EYES! The goggles! they do nothing!


_________________
[B]ut the undertaking was impossible from the very beginning and of all the impossible ways of carrying it out, this was the least interesting.

---Jorge Luis Borges, "Pierre Menard, author of the Quixote"

[blaksaga]

You want precompiled binaries?

[Skorgu]

*Disclaimer: I stumbled upon this poll on an unrelated search and have done no research on it. This may have all been said already. If so, just ignore it.

Guys (and gals) this isn't as bad an idea as it seems.

This is exactly the application that the whole key-signing Web Of Trust thingie that PGP and GPG are designed to implement.

Let's say I, Al, have a machine that I built. Its an ~x86 uber-hardcore dev box with love-sources (or whatever its called these days), and runs Reiser4. Nifty. Now let's say Bill, whom I know In Real Life, wants to build a new box. He can, and will, want to tweak and recompile and fiddle with his system, that's why he's using Gentoo. But he also doesn't want to wait three days for KDE to compile (bah, real men use FVWM anyway...), he wants to get his system up and running NOW and fiddle later.

This, admittedly convenient situation is a tailor-made example of where a p2p binary distribution network is incredibly useful.

What I do is share my tbz2'd binary packages of everything to the world. They're all signed with my PGP/GPG key. This PGP/GPG key is posted somewhere else for duplication and alternate-venue reasons, but its also available right next to the binaries in the share.

Now Bill can call me up, get my signature and verify all those packages. A well-implemented application will let him just put my public key into /etc/portage/users.trusted and it will Just Work. In fact, once he downloads them and shares them himself, they will get signed by him as well.

Now let's say Charlie wants a similar system. He knows Bill but not me. If he downloads Bill's packages because he trusts Bill. Now he also has a (depreciated) level of trust for my packages, since I provided them originally. He may then download the packages from both of us, as they're identical. In the future, he may chose to trust my releases even if they're not signed by Bill, as I've 'proven' myself to him.

Again, the specific math is harder than this general overview, but the point is the trust issue can be resolved. Individual packages won't last long enough for them to build up a web of trust all by themselves, but since lots of ebuilds are update early update often, the web will form quickly.

Of course this revolves around people having and using PGP/GPG and not forgetting their passphrases...which is unlikely.

GRP is obviously for the less bleeding edge users, but if you're not a bleeding-edge user, shouldn't you be running debian?

There is a place for binary packages, and there can be a place for p2p/distributed binary packages (or even sources! rss+bittorrent are god!). Just canning it out of hand is silly. As someone already said, Gentoo is about choice.
_________________
"I paid for four wheels, make 'em all drive"

[yngwin]

There are just too many variables to make this feasible, even apart from the security issues. I choose Gentoo because I can compile from source, optimizing for my machine and my chosen options. If I wanted binaries, there are enough distros that offer that...
_________________
"Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF

[plbe]

I will always install from source given a choice, I used freebsd for 3 years and always installed via source rather then packages. Theres nothing wrong with installing binaries if its from a trusted source p2p sounds to risky imho. I say if you want to do it take a look at how freebsd does things afterall portage follows in the footsteps of freebsd ports so you might as well do what works

[pjp]

https://forums.gentoo.org/viewtopic.php?t=145494
_________________
Quis separabit? Quo animo?