Good point. The easiest way to secure it would be for the service to trust the other machines based on their root password. If they don't match, don't trust; if they do, then they're either controlled by the same person or at least one of the admins is a moron. I was also assuming you would only trust packages signed by your distro, in which case, even if someone broke into your house and put a machine on your network, its rogue packages would easily be detected and ignored.
<br><br>Local repositories have to be set up, and maintained by people. The package manager is 'just there'. I'm surprised the main distros haven't came up with a clever way like this to save on their bandwidth bills.
<br><br><div><span class="gmail_quote">On 9/20/07, <b class="gmail_sendername">Kyle Sexton</b> <<a href="mailto:ks@mocker.org">ks@mocker.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
"Billy Crook" <<a href="mailto:billycrook@gmail.com">billycrook@gmail.com</a>> writes:<br><br>> Has anyone ever heard of a package manager that 'scans' other machines within its subnet or within specified subnets
<br>> for updates before using the official repositories? There would either have to be some service advertisement protocol<br>> lime MDNS or each machine would literally have to scan for a designated port number listening for these requests on all
<br>> machines. Once they locate each other, the idea would be ome machine downloads 500MB of updates from the repo, and<br>> from there on, every other machine (with the same distro and arch) just pulls from the faster local machine, rather
<br>> than using up inet bandwidth.<br>><br>> Any suggestions (Other than a dedicated local repository mirror)?<br>><br><br>I haven't heard of anything like this before, but a problem I see is<br>that you'd have to authenticate which of the servers are allowed to
<br>contain updates. Otherwise someone could put a box up w/ rouge packages<br>and get them pushed out (granted package signing probably solves this a<br>little).<br><br>Can I ask what the advantage of this as opposed to a local repository
<br>is?<br><br>--<br>Kyle Sexton<br></blockquote></div><br>