Gentoo desktop?
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Mon Jan 21 18:20:22 UTC 2008
On Mon, Jan 21, 2008 at 01:54:22PM +0100, Christopher Friedt wrote:
> Since we've all been talking about gentoo's excessive CPU consumption on
> the global scale, and the concept of decentralized binary package
> repositories, does anyone have any decent idea of how such a thing would
> be modelled in a more-or-less secure fashion?
>
> It would be nice to hear some ideas. Now is the time too, since the
> gentoo council might be reformed shortly.
Well Debian provides binaries with both MD5 and SHA1 checksums on the
packages, as well as MD5's of each file within the package, and gpg
signatures on each package from them.
Now you either trust the Debian maintainers or you don't.
Similarly with Gentoo, checksum and sign each package when it is made,
and then you either trust the Gentoo maintainers or you don't. If you
don't then you can't use the source code from them either or their
stage1 compiler or anything else, since you have no reason to trust one
if you don't trust the other, unless you personally verify every line of
code, and check the binary of the compiler instruction for instruction,
which I don't believe ANY Gentoo user has done.
So essentially this comes down to having nothing to do with security and
trust but simply a change in philosophy away from the idea that everyone
should be compiling everything themselves with random options enables
along with random compiler flags. The result is saved time for
installing software, better testing (since lots of people will test the
same configuration and build), and less waste.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list