Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Vision: Gentoo with P2P Binary Package system
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  

you can poll this.
its a gooood idea
39%
 39%  [ 41 ]
no, i dont like it
60%
 60%  [ 62 ]
Total Votes : 103

Author Message
error26
n00b
n00b


Joined: 22 Feb 2003
Posts: 65
Location: Vienna

PostPosted: Thu Feb 19, 2004 12:17 pm    Post subject: Vision: Gentoo with P2P Binary Package system Reply with quote

If i would have a wish free i would ask the big gentoo fay for a p2p binary package net.

1. you type emerge -p2p kde
2. the fay asks the p2p for compiled bins, they match my useflags (or a certain range of USE-flags).
3. as for every gentoo user is part of the magic p2p net, i will retrive my bins in a second.
4. i am happy

what do you thin about. i know there are issues like Cflags but i dont care mutch about them.
Back to top
View user's profile Send private message
Boris27
Guru
Guru


Joined: 05 Nov 2003
Posts: 562
Location: Almelo, The Netherlands

PostPosted: Thu Feb 19, 2004 12:55 pm    Post subject: Reply with quote

What about bins with a rootkit of some sort installed? Or an exploit crafted in? I'd rather not have stuff like that on my PC.
Back to top
View user's profile Send private message
pranyi
Apprentice
Apprentice


Joined: 06 Mar 2003
Posts: 293
Location: Germany

PostPosted: Thu Feb 19, 2004 1:05 pm    Post subject: Reply with quote

I voted good idea. However I have concerns whether it could be reliably and securely solved.

The quality of these packages would be quite questionable, moreover it could open the door for Gentoo-wide viruses and backdoors. (Think about it : a lot of packages would run n priviligized mode!). This would be a risk hard to be ruled out.
Back to top
View user's profile Send private message
krusty_ar
Guru
Guru


Joined: 03 Oct 2002
Posts: 560
Location: Rosario, Argentina

PostPosted: Thu Feb 19, 2004 1:56 pm    Post subject: Reply with quote

How many times will we have to read this idea?

I just have one thing to say: If you REALLY think it can be done, just do it(tm), because everyone else (specially devs) think it's not

And please search the forums before posting


Sorry for the rant, I didn't mean to offend anyone
_________________
I am Beta, don't expect correct behaviour from me.
Take part of the adopt an unaswered post initiative
Back to top
View user's profile Send private message
Roguelazer
Veteran
Veteran


Joined: 10 Feb 2003
Posts: 1233
Location: San Francisco, CA

PostPosted: Thu Feb 19, 2004 4:12 pm    Post subject: Reply with quote

The security aspects could be handled if the p2p net AND the p2p software had verification. So when something's uploaded, it gets md5checked, and when you download something, it gets md5checked...
_________________
Registered Linux User #263260
Back to top
View user's profile Send private message
gurke
Apprentice
Apprentice


Joined: 10 Jul 2003
Posts: 260

PostPosted: Thu Feb 19, 2004 4:18 pm    Post subject: Reply with quote

this is rootkits for free, since you cant control the binary code, and there is no way to certify all these packages. grp will be the only way to go, if you want binary packages and security.
Back to top
View user's profile Send private message
Selecter
Tux's lil' helper
Tux's lil' helper


Joined: 12 Jan 2004
Posts: 128
Location: Estonia

PostPosted: Thu Feb 19, 2004 4:48 pm    Post subject: Re: Vision: Gentoo with P2P Binary Package system Reply with quote

error26 wrote:
If i would have a wish free i would ask the big gentoo fay for a p2p binary package net.

1. you type emerge -p2p kde
2. the fay asks the p2p for compiled bins, they match my useflags (or a certain range of USE-flags).
3. as for every gentoo user is part of the magic p2p net, i will retrive my bins in a second.
4. i am happy

what do you thin about. i know there are issues like Cflags but i dont care mutch about them.


There may be security reasons not to do that.
Back to top
View user's profile Send private message
pranyi
Apprentice
Apprentice


Joined: 06 Mar 2003
Posts: 293
Location: Germany

PostPosted: Thu Feb 19, 2004 5:28 pm    Post subject: Reply with quote

Roguelazer wrote:
The security aspects could be handled if the p2p net AND the p2p software had verification. So when something's uploaded, it gets md5checked, and when you download something, it gets md5checked...


How does it help?
Back to top
View user's profile Send private message
Roguelazer
Veteran
Veteran


Joined: 10 Feb 2003
Posts: 1233
Location: San Francisco, CA

PostPosted: Thu Feb 19, 2004 5:39 pm    Post subject: Reply with quote

Well, if users were forced to submit their files in, say, .tar.gz format, and some kind person was to create every possible file and get its md5sum, then we'd be able to assure the authenticity...
_________________
Registered Linux User #263260
Back to top
View user's profile Send private message
gurke
Apprentice
Apprentice


Joined: 10 Jul 2003
Posts: 260

PostPosted: Thu Feb 19, 2004 6:18 pm    Post subject: Reply with quote

Roguelazer wrote:
The security aspects could be handled if the p2p net AND the p2p software had verification. So when something's uploaded, it gets md5checked, and when you download something, it gets md5checked...


someone would need to review and test all packages _by hand_, to ensure there are no backdoors, etc. and then generate those md5sums. this will not work out, since there too much combinations of cflags and useflags.
Back to top
View user's profile Send private message
Roguelazer
Veteran
Veteran


Joined: 10 Feb 2003
Posts: 1233
Location: San Francisco, CA

PostPosted: Thu Feb 19, 2004 6:21 pm    Post subject: Reply with quote

The poster said he didn't care about cflags... I think what he wants is for grp packages to be distributed over p2p, all with standard cflags and use flags, just like what gentoo ships on the GRP cd. Bittorrent would probably be better, though...
_________________
Registered Linux User #263260
Back to top
View user's profile Send private message
SB
n00b
n00b


Joined: 12 Jan 2004
Posts: 74
Location: At The Bar!

PostPosted: Sat Feb 21, 2004 2:05 am    Post subject: Reply with quote

Nope,

Quote:
2. the fay asks the p2p for compiled bins, they match my useflags (or a certain range of USE-flags).


Since the binaries will differ depending on the compiler used as well as USE flags - the possible combinations for one binary file alone are horrific. As for CFLAGS, well, they are important because if they don't match and backward compatibility isn't set then it won't run.

I personally don't like the idea at all, the concept of someone else unknown compiling a binary to run on my system just doesn't seem to make sense. After all, is this kind volunteer going to test every package to make sure there are no exploits embedded in it? That little httpd binary could have all manner of extra 'features' :lol:

Emerging a package doesn't take very long, with some exceptions of course. You can always set the niceness down and run it in the background whilst you work, or even use another PC or distcc to compile the packages.
_________________
SB

"The gene pool could use a little chlorine..."
Back to top
View user's profile Send private message
NuclearFusi0n
Apprentice
Apprentice


Joined: 20 Jun 2003
Posts: 297

PostPosted: Sat Feb 21, 2004 2:18 am    Post subject: Reply with quote

If your security arguments held any weight, there would exist no distribution that uses binary packages.

I would think the point would be for Gentoo or gentoo maintainers to create the binary packages using generic CFLAGS and average USE flags, store the md5sum in a central database, and let the packages crawl p2p if they don't want to dedicate server space for them.
_________________
I will keel yoo grub
Back to top
View user's profile Send private message
SB
n00b
n00b


Joined: 12 Jan 2004
Posts: 74
Location: At The Bar!

PostPosted: Sat Feb 21, 2004 2:25 am    Post subject: Reply with quote

But isn't Gentoo a source-based distribution? If you start doing everything with binaries, well it just wouldn't be Gentoo anymore :lol:

Binary packages for other distributions are built and tested by a trusted source. If you were a redhat user for example, would you download a RPM of ProFTPD of Apache from www.getyabinshere.com without any concern, or would you rather get it from updates.redhat.com?

The original poster wanted end-user compiled binaries because he wanted ones that matched, or closely matched his USE flags. Peoples USE flags range so widely that either packages would have to be built with masses of USE flags - think compiling in gnome, gtk, kde, qt, oss, alsa support etc... or they would have to build many packages.

As for CFLAGS, well, don't you like having CPU optimisations?

What you're talking about is a P2P fron end for GRP which I would think is different to the original suggestion. Think about the admin overhead on this as well - Gentoo would have to dedicate an entire team to just building and testing binary packages!
_________________
SB

"The gene pool could use a little chlorine..."
Back to top
View user's profile Send private message
NuclearFusi0n
Apprentice
Apprentice


Joined: 20 Jun 2003
Posts: 297

PostPosted: Sat Feb 21, 2004 4:38 am    Post subject: Reply with quote

SB wrote:
But isn't Gentoo a source-based distribution? If you start doing everything with binaries, well it just wouldn't be Gentoo anymore :lol:

Binary packages for other distributions are built and tested by a trusted source. If you were a redhat user for example, would you download a RPM of ProFTPD of Apache from www.getyabinshere.com without any concern, or would you rather get it from updates.redhat.com?

The original poster wanted end-user compiled binaries because he wanted ones that matched, or closely matched his USE flags. Peoples USE flags range so widely that either packages would have to be built with masses of USE flags - think compiling in gnome, gtk, kde, qt, oss, alsa support etc... or they would have to build many packages.

As for CFLAGS, well, don't you like having CPU optimisations?

What you're talking about is a P2P fron end for GRP which I would think is different to the original suggestion. Think about the admin overhead on this as well - Gentoo would have to dedicate an entire team to just building and testing binary packages!

ah, but isn't Gentoo also about choice? Although I wouldn't use it, I think binary packages available in portage is a great idea that could really help create a great distro. The only reason I don't use Gentoo on slow boxes is the compliation time, and I have been unable to find a distro as good as Gentoo. Gentoo + binary packages = yowza for weak boxes.

but like you said, they would have to be created by a trusted source, and I'm sure the work to do that would take time. Perhaps we could start out small, with binary packages available for only those packages that really need it (OpenOffice, Evolution, KDE/GNOME, Mozilla, GCC, Glibc, etc.) (Isn't this what GRP is already? Forgive me, I've never dealt with GRP and barely know what it is) and start a volunteer effort to get more binary packages available until people mostly have the choice to choose between source or binary.

Debian's user base might shrink a bit though. ;)
_________________
I will keel yoo grub
Back to top
View user's profile Send private message
EvilTwinSkippy
n00b
n00b


Joined: 20 Feb 2003
Posts: 63
Location: Philadelphia, PA

PostPosted: Sun Feb 29, 2004 2:34 am    Post subject: Let this concept DIE! Reply with quote

For the last time. Gentoo is a METADISTRIBUTION. It's designed to provide the smallest number of design decisions possible. Once you start mucking around with selecting packages and configuring USE flags and CFLAGS it's pretty much your distro.

Now, if someone wants to go off and spawn their own distro as a binary offshoot of Gentoo, great. We would have one for the GNOME people, one for the KDE people, one for the folks who can't make up their mind, one for the folks who want no X on the machine at all, and one for the folks who insist on using Matchbox, or XFCE.

Which one of those groups you are in radically changes what packages need to be installed and maintained for your system. And you can't make everyone happy. And looking around bugzilla, it's not like the Gentoo team is sitting around looking for neat things to do. They have a hard enough time keeping up with the source-based packages.

In the meantime, get a little clique, some web space, a mascot and a slogan. I have dibs on Tao Linux.
_________________
I've found that people will take what you say more seriously if you tell them Ben Franklin said it first.
Back to top
View user's profile Send private message
Rastagromit
n00b
n00b


Joined: 06 Mar 2003
Posts: 12
Location: Longview, Texas

PostPosted: Sun Feb 29, 2004 2:47 am    Post subject: Reply with quote

A vision, eh?

*looks at gentoo-binaries distro*

MY EYES! The goggles! they do nothing!

8)
_________________
[B]ut the undertaking was impossible from the very beginning and of all the impossible ways of carrying it out, this was the least interesting.

---Jorge Luis Borges, "Pierre Menard, author of the Quixote"
Back to top
View user's profile Send private message
blaksaga
Guru
Guru


Joined: 19 May 2003
Posts: 461
Location: Omaha, NE, USA

PostPosted: Sun Feb 29, 2004 11:09 pm    Post subject: Reply with quote

You want precompiled binaries? ;)
Back to top
View user's profile Send private message
Skorgu
n00b
n00b


Joined: 10 Sep 2003
Posts: 39

PostPosted: Tue Aug 24, 2004 10:31 am    Post subject: Reply with quote

*Disclaimer: I stumbled upon this poll on an unrelated search and have done no research on it. This may have all been said already. If so, just ignore it.

Guys (and gals) this isn't as bad an idea as it seems.

This is exactly the application that the whole key-signing Web Of Trust thingie that PGP and GPG are designed to implement.

Let's say I, Al, have a machine that I built. Its an ~x86 uber-hardcore dev box with love-sources (or whatever its called these days), and runs Reiser4. Nifty. Now let's say Bill, whom I know In Real Life, wants to build a new box. He can, and will, want to tweak and recompile and fiddle with his system, that's why he's using Gentoo. But he also doesn't want to wait three days for KDE to compile (bah, real men use FVWM anyway...), he wants to get his system up and running NOW and fiddle later.

This, admittedly convenient situation is a tailor-made example of where a p2p binary distribution network is incredibly useful.

What I do is share my tbz2'd binary packages of everything to the world. They're all signed with my PGP/GPG key. This PGP/GPG key is posted somewhere else for duplication and alternate-venue reasons, but its also available right next to the binaries in the share.

Now Bill can call me up, get my signature and verify all those packages. A well-implemented application will let him just put my public key into /etc/portage/users.trusted and it will Just Work. In fact, once he downloads them and shares them himself, they will get signed by him as well.

Now let's say Charlie wants a similar system. He knows Bill but not me. If he downloads Bill's packages because he trusts Bill. Now he also has a (depreciated) level of trust for my packages, since I provided them originally. He may then download the packages from both of us, as they're identical. In the future, he may chose to trust my releases even if they're not signed by Bill, as I've 'proven' myself to him.

Again, the specific math is harder than this general overview, but the point is the trust issue can be resolved. Individual packages won't last long enough for them to build up a web of trust all by themselves, but since lots of ebuilds are update early update often, the web will form quickly.

Of course this revolves around people having and using PGP/GPG and not forgetting their passphrases...which is unlikely.

GRP is obviously for the less bleeding edge users, but if you're not a bleeding-edge user, shouldn't you be running debian?

There is a place for binary packages, and there can be a place for p2p/distributed binary packages (or even sources! rss+bittorrent are god!). Just canning it out of hand is silly. As someone already said, Gentoo is about choice.
_________________
"I paid for four wheels, make 'em all drive"
Back to top
View user's profile Send private message
yngwin
Retired Dev
Retired Dev


Joined: 19 Dec 2002
Posts: 4572
Location: Suzhou, China

PostPosted: Wed Aug 25, 2004 11:27 am    Post subject: Reply with quote

There are just too many variables to make this feasible, even apart from the security issues. I choose Gentoo because I can compile from source, optimizing for my machine and my chosen options. If I wanted binaries, there are enough distros that offer that...
_________________
"Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF
Back to top
View user's profile Send private message
plbe
l33t
l33t


Joined: 01 May 2004
Posts: 661

PostPosted: Wed Aug 25, 2004 2:09 pm    Post subject: Reply with quote

I will always install from source given a choice, I used freebsd for 3 years and always installed via source rather then packages. Theres nothing wrong with installing binaries if its from a trusted source p2p sounds to risky imho. I say if you want to do it take a look at how freebsd does things afterall portage follows in the footsteps of freebsd ports so you might as well do what works
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18438

PostPosted: Wed Sep 22, 2004 2:54 pm    Post subject: Reply with quote

https://forums.gentoo.org/viewtopic.php?t=145494
_________________
The media sells it and you live the role.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum