So I'm guessing the answer is: No, nobody has heard of a package manager that does this on its own.

On 9/20/07, Charles Steinkuehler < charles@steinkuehler.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Billy Crook wrote:
> Good point.  The easiest way to secure it would be for the service to
> trust the other machines based on their root password.  If they don't
> match, don't trust; if they do, then they're either controlled by the
> same person or at least one of the admins is a moron.  I was also
> assuming you would only trust packages signed by your distro, in which
> case, even if someone broke into your house and put a machine on your
> network, its rogue packages would easily be detected and ignored.

As long as the repository is properly secured against man in the middle
attacks you should be safe with the proxy approach I mentioned, or with
any other sort of distributed download/storage.  Exactly *HOW* the file
gets onto the system shouldn't matter to the verification tools.

And if the repository/packaging tools aren't secure against MitM
attacks, it's not really secure anyway (unless you know and trust every
link between you and the repository).

> Local repositories have to be set up, and maintained by people.  The
> package manager is 'just there'.  I'm surprised the main distros haven't
> came up with a clever way like this to save on their bandwidth bills.

Indeed.  And using a transparent proxy approach, it shouldn't be hard to
make a pre-configured proxy system that would require minimal setup on
the server side (how big and where would you like the repository cache),
and little or no setup on the client end (could require pointing to the
'local' repository or maybe even auto-discover).

This seems easy enough someone should throw together a debian package
for it.  Oh wait...why not look to see if someone else has done this
already?

$ apt-cache search apt cache
alevt - X11 Teletext/Videotext browser
approx - caching proxy server for Debian archive files
apt-cacher - caching proxy system for Debian package and source files
apt-file - APT package searching utility -- command-line interface
apt-move - Maintain Debian packages in a package pool
apt-proxy - Debian archive proxy and partial mirror builder
apt-rdepends - Recursively lists package dependencies
bmagic - C++ template library for efficient platform independent bitsets
gpsbabel - GPS file conversion plus transfer to/from GPS units
kio-apt - an apt-cache ioslave for KDE
libapt-pkg-perl - Perl interface to libapt-pkg
sg3-utils - Utilities for working with generic SCSI devices
wajig - simplified Debian package management front end

Looks like approx, apt-cacher, and apt-proxy all do what you're looking
for, with the caveat that files are stored on one machine, and not
distributed across all client systems.

- --
Charles Steinkuehler
charles@steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG8s/uLywbqEHdNFwRAlybAKDys2w9D8uT+M+Tnon/zMnUEeVr2QCfaJ/b
Qu/oHzqk/hLEkvvzCr6IGpM=
=dMt/
-----END PGP SIGNATURE-----