package distribution through a bit torrent network

Allan · 2014-01-10 01:46:03

It is mostly me being an arse and also checking that signing continues to work as expected. I use very little from [community] anyway:

allan@arya ~ 
> paclist community | wc -l
21

solar · 2014-01-10 02:38:18

urist wrote:

This would alienate a good chunk of users I assume, unless a few good mirrors do provide http access. I know my current university seems to block bittorrent.

I have been thinking of doing something like this as a spin off of pacman but I knew/know I don't have the time/capacity..

I would recommend a package manager.. (not just for arhc linux, but for ALL LINUX ,p) based not on bit-torrent but on *git*... In fact, I think combining it with something a la gogole's courgette is the future.

About time people start thinking a bit more on this.

Why git?

For obvious reasons.. one still has a 'head' or master, (TU/devs), but still decentralised. In times of rising facism in US, and with the revelations of the massive spendings on subterfuge on all technology, this is needed.

This layout should have concentric rings of outgoing trust .. but since we put package signing when we/they did into arch, we deffo can see this happen. This was part of a project I initially wantet to pass by Ioni but a lot of stuff happened on my end and had to ditch a lot of things in real life.

Good to see some people thinking a bit about it, keep it up.

solar · 2014-01-10 02:48:38

PS. Xyne is someone also who I always imagined is someone I would like to mention that to.

Xyne · 2014-01-12 16:29:38

I strongly agree that decentralization is the future if we wish to preserve an open internet that resists increasing censorship around the globe in the name of protecting us from the bogeyman of the week, but that is a discussion for another board as it falls foul of our rules here. My own hope is to see the rise of generic public-key encrypted p2p networks and I have some ideas of my own for implementing one, but my time is frustratingly limited and such a project would require considerable deliberation to ensure its security.

Git may be a good idea for distributing package metadata. Multiple users could verify the data and sign it if they trust it. Signers could then build the package and release it along with a signature and signed metadata (e.g. file list with checksums) that could be compared to the data from other signers. That would make it much more difficult for someone to inject malicious packages into the ecosystem as they would need to corrupt or coerce several people. As it is now, even with PGP and sign-offs, I am sure there are ways to force the core devs to release malicious code through binary packages.

Ultimately the perfect system is unattainable in practice. To truly trust a package, you need to trust every single line of source code, the compiler, every single dependency, the packager, the signing system, and possibly even the distribution system, with the trust requirement applied recursively. That in turn delegates a significant amount of trust to the technical skills and attentiveness of far too many people (obfuscated C contests have shown us just how difficult it can be to detect the true function of code). All of that may be moot if the hardware itself has been compromised at the manufacturer level. Compromised compilers are also a real possibility. If someone with sufficient resources wants to get you, they will.

solar · 2014-01-16 16:49:49

Ye, the worse potential culprit is, Ken Thompson's famous trusting trust: http://cm.bell-labs.com/who/ken/trust.html

Yes, it is frustrating.. we *know* we are now f**** by getting these very good intel chips which are so amazingly cheap now, we *know* we are screwed by dropbox, smartphones, android, ms, and all the 'syncing'.. we *know* it is one of the greatest misintepretations ever in the interweb history, to have said: "google is your friend".. yet, how functions are we to keep trying avoiding it? I did for a long time, but ironically, now I am purposefully leaving far more tracks..nvm why.

True though, it is political discussions not for here.

SO to get back to you... I am glad you liked the git idea.. and yes.. I had in mind similar 'rings of trust' where, master is run by the distro devs etc.. but yet, one can easier add, remove , verify various own chains or packages etc etc.

But, I just want to say Xyne.. every time I am hacking away at something, you have alreayd made it.. each time I see something you have made, I feel a mirrored way of logic with arch. J

This is a pure and simple set of compliments, and if I were a better coder, I would happily offer my time to join and aid you in any you would need help in and so on

My problem is, I am a horrendous coder and my hacks are so absurd; yet my code gets always so messy it takes the cake ,)

Either way... I have no doubt, we share very similar ideas on which priniciples are needed for the future as such.

Sure, I might be a bit more vocal on my critique and probably we are speaking from two sides of the fence on the nationality at question in particular but ok.

Nevertheless, I think a groups of devs will soon enough understand that a git-like package manager is a new paradigm which will emerge (along with a lot more considerations of course).

solar · 2014-01-16 17:40:49

For historical purposes for youngsters, let me add a quote by Ken Thompson from 1984:

"The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)"

Present: Ken Thompson works for google, and is known for amongst other things, inventing the language you can trust... go. (oh wait, is vala then a potentially sketchy?).

The annoyance is I don't have a very old 64 bit machine which I haven't patched with a ucode update at least once

I can also add, that when tdl4 was discovered.. the first rootkit to break the windows 64 bit kernel... as usual, this advanced progra mwas blamed on russia, nigeria, china whoever... but Norton released the original ip .. and by backtracking it took me only 30 mins to end up in guess where... a special needs school in Redmond.. turns out 5 people were on idictment in US (lawyers of course), who were the owner of the building from that ip.. and was a former NSA datacentre LOL.... also, in that same school building.. was the Washington Republican party.. doh... and guess what *all* the surrounding companies were.. all hard core, software ocmpanies near Microsoft... oh it would have been hilarious had it not been so tragic, given our recent century's history.

Last edited by solar (2014-01-16 17:44:01)

jasonwryan · 2014-01-16 20:18:21

Let's keep the focus on technology please https://wiki.archlinux.org/index.php/Fo … ial_Topics

Arch Linux

#26 2014-01-10 01:46:03

Re: package distribution through a bit torrent network

#27 2014-01-10 02:38:18

Re: package distribution through a bit torrent network

#28 2014-01-10 02:48:38

Re: package distribution through a bit torrent network

#29 2014-01-12 16:29:38

Re: package distribution through a bit torrent network

#30 2014-01-16 16:49:49

Re: package distribution through a bit torrent network

#31 2014-01-16 17:40:49

Re: package distribution through a bit torrent network

#32 2014-01-16 20:18:21

Re: package distribution through a bit torrent network

Board footer