P2P Package Manager

Thu Sep 20 15:39:19 CDT 2007

So I'm guessing the answer is: No, nobody has heard of a package manager
that does this on its own.

On 9/20/07, Charles Steinkuehler <charles at steinkuehler.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Billy Crook wrote:
> > Good point.  The easiest way to secure it would be for the service to
> > trust the other machines based on their root password.  If they don't
> > match, don't trust; if they do, then they're either controlled by the
> > same person or at least one of the admins is a moron.  I was also
> > assuming you would only trust packages signed by your distro, in which
> > case, even if someone broke into your house and put a machine on your
> > network, its rogue packages would easily be detected and ignored.
>
> As long as the repository is properly secured against man in the middle
> attacks you should be safe with the proxy approach I mentioned, or with
> any other sort of distributed download/storage.  Exactly *HOW* the file
> gets onto the system shouldn't matter to the verification tools.
>
> And if the repository/packaging tools aren't secure against MitM
> attacks, it's not really secure anyway (unless you know and trust every
> link between you and the repository).
>
> > Local repositories have to be set up, and maintained by people.  The
> > package manager is 'just there'.  I'm surprised the main distros haven't
> > came up with a clever way like this to save on their bandwidth bills.
>
> Indeed.  And using a transparent proxy approach, it shouldn't be hard to
> make a pre-configured proxy system that would require minimal setup on
> the server side (how big and where would you like the repository cache),
> and little or no setup on the client end (could require pointing to the
> 'local' repository or maybe even auto-discover).
>
> This seems easy enough someone should throw together a debian package
> for it.  Oh wait...why not look to see if someone else has done this
> already?
>
> $ apt-cache search apt cache
> alevt - X11 Teletext/Videotext browser
> approx - caching proxy server for Debian archive files
> apt-cacher - caching proxy system for Debian package and source files
> apt-file - APT package searching utility -- command-line interface
> apt-move - Maintain Debian packages in a package pool
> apt-proxy - Debian archive proxy and partial mirror builder
> apt-rdepends - Recursively lists package dependencies
> bmagic - C++ template library for efficient platform independent bitsets
> gpsbabel - GPS file conversion plus transfer to/from GPS units
> kio-apt - an apt-cache ioslave for KDE
> libapt-pkg-perl - Perl interface to libapt-pkg
> sg3-utils - Utilities for working with generic SCSI devices
> wajig - simplified Debian package management front end
>
> Looks like approx, apt-cacher, and apt-proxy all do what you're looking
> for, with the caveat that files are stored on one machine, and not
> distributed across all client systems.
>
> - --
> Charles Steinkuehler
> charles at steinkuehler.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG8s/uLywbqEHdNFwRAlybAKDys2w9D8uT+M+Tnon/zMnUEeVr2QCfaJ/b
> Qu/oHzqk/hLEkvvzCr6IGpM=
> =dMt/
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kclug.org/pipermail/kclug/attachments/20070920/6149e1ca/attachment.htm 