So I'm guessing the answer is: No, nobody has heard of a package manager that does this on its own.<br><br><div><span class="gmail_quote">On 9/20/07, <b class="gmail_sendername">Charles Steinkuehler</b> <<a href="mailto:charles@steinkuehler.net">
charles@steinkuehler.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1
<br><br>Billy Crook wrote:<br>> Good point. The easiest way to secure it would be for the service to<br>> trust the other machines based on their root password. If they don't<br>> match, don't trust; if they do, then they're either controlled by the
<br>> same person or at least one of the admins is a moron. I was also<br>> assuming you would only trust packages signed by your distro, in which<br>> case, even if someone broke into your house and put a machine on your
<br>> network, its rogue packages would easily be detected and ignored.<br><br>As long as the repository is properly secured against man in the middle<br>attacks you should be safe with the proxy approach I mentioned, or with
<br>any other sort of distributed download/storage. Exactly *HOW* the file<br>gets onto the system shouldn't matter to the verification tools.<br><br>And if the repository/packaging tools aren't secure against MitM
<br>attacks, it's not really secure anyway (unless you know and trust every<br>link between you and the repository).<br><br>> Local repositories have to be set up, and maintained by people. The<br>> package manager is 'just there'. I'm surprised the main distros haven't
<br>> came up with a clever way like this to save on their bandwidth bills.<br><br>Indeed. And using a transparent proxy approach, it shouldn't be hard to<br>make a pre-configured proxy system that would require minimal setup on
<br>the server side (how big and where would you like the repository cache),<br>and little or no setup on the client end (could require pointing to the<br>'local' repository or maybe even auto-discover).<br><br>This seems easy enough someone should throw together a debian package
<br>for it. Oh wait...why not look to see if someone else has done this<br>already?<br><br>$ apt-cache search apt cache<br>alevt - X11 Teletext/Videotext browser<br>approx - caching proxy server for Debian archive files<br>
apt-cacher - caching proxy system for Debian package and source files<br>apt-file - APT package searching utility -- command-line interface<br>apt-move - Maintain Debian packages in a package pool<br>apt-proxy - Debian archive proxy and partial mirror builder
<br>apt-rdepends - Recursively lists package dependencies<br>bmagic - C++ template library for efficient platform independent bitsets<br>gpsbabel - GPS file conversion plus transfer to/from GPS units<br>kio-apt - an apt-cache ioslave for KDE
<br>libapt-pkg-perl - Perl interface to libapt-pkg<br>sg3-utils - Utilities for working with generic SCSI devices<br>wajig - simplified Debian package management front end<br><br>Looks like approx, apt-cacher, and apt-proxy all do what you're looking
<br>for, with the caveat that files are stored on one machine, and not<br>distributed across all client systems.<br><br>- --<br>Charles Steinkuehler<br><a href="mailto:charles@steinkuehler.net">charles@steinkuehler.net</a>
<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.0 (MingW32)<br>Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org">http://enigmail.mozdev.org</a><br><br>iD8DBQFG8s/uLywbqEHdNFwRAlybAKDys2w9D8uT+M+Tnon/zMnUEeVr2QCfaJ/b
<br>Qu/oHzqk/hLEkvvzCr6IGpM=<br>=dMt/<br>-----END PGP SIGNATURE-----<br></blockquote></div><br>