Good point. The easiest way to secure it would be for the service to trust the other machines based on their root password. If they don't match, don't trust; if they do, then they're either controlled by the same person or at least one of the admins is a moron. I was also assuming you would only trust packages signed by your distro, in which case, even if someone broke into your house and put a machine on your network, its rogue packages would easily be detected and ignored.
Local repositories have to be set up, and maintained by people. The package manager is 'just there'. I'm surprised the main distros haven't came up with a clever way like this to save on their bandwidth bills.
On 9/20/07, Kyle Sexton ks@mocker.org wrote:
"Billy Crook" billycrook@gmail.com writes:
Has anyone ever heard of a package manager that 'scans' other machines
within its subnet or within specified subnets
for updates before using the official repositories? There would either
have to be some service advertisement protocol
lime MDNS or each machine would literally have to scan for a designated
port number listening for these requests on all
machines. Once they locate each other, the idea would be ome machine
downloads 500MB of updates from the repo, and
from there on, every other machine (with the same distro and arch) just
pulls from the faster local machine, rather
than using up inet bandwidth.
Any suggestions (Other than a dedicated local repository mirror)?
I haven't heard of anything like this before, but a problem I see is that you'd have to authenticate which of the servers are allowed to contain updates. Otherwise someone could put a box up w/ rouge packages and get them pushed out (granted package signing probably solves this a little).
Can I ask what the advantage of this as opposed to a local repository is?
-- Kyle Sexton