Pristine source archive

Glenn McGrath bug1 at optushome.com.au
Tue Apr 16 13:25:27 UTC 2002


On Mon, 15 Apr 2002 11:03:47 -0400
"Dale E Martin" <dmartin at cliftonlabs.com> wrote:

> My thoughts about this proposal in general:
> 
> 1) Distros won't want to upgrade simultaneously, so you'll end up with
> many versions of each application in the upstream repository.  I.e. the
> union of all of the current archives (minus the duplication, of course,
> which is the current "problem" in the proposer's view.)
> 
> 2) Not every distro uses the same set of tools, so you might end up with
> a bunch of different upstreams of the same applications.  Certain tools
> (like"procps") seem like they have wide variance between distros -
> perhaps even being totally different upstream.
> 
Good point, that could be a problem, hadnt thought of that.

> 3) The upstream repository would need more bandwidth than any current
> distro's source repository, since it would be getting mauled by the
> users of all of the distros.
> 
For a site that was already mirroring the source of those distros it
shouldnt have a major effect bandwidth.

> 4) The source repository is a critical bit of infrastructure to any
> distro, and you'd be taking it out of their control.  I'm thinking most
> of the distros would not like that, particularly the commercial ones.
> 
Distro's that are participating would have to have upload rights to the
master site, deciding when to remove an app would be more of a problem,
there would have to be some automated way of determining when the source
is no longer required.

> 5) The current distributed nature is a benefit in many ways - redundancy
> being one of them...
> 
> One of the things that would be cool about the proposal would be that
> the baseline tools common to all distros might be agreed upon, and then
> security auditing might be easier.  Basically if everyone agreed that
> "sysvinit" version 2.84 was golden within some time period, then each
> distro could have some resources dedicated to security audits of the
> code. The proposed arrangement might make it easier to see the common
> codebases and track the usage...
> 

A cleaner seperation between upstream source and the distribution modified
source would make it easier to audit the patches distributions add as
well. which is possibly a more dangerous place for an exploit to reside.

You raise some good points, i will need to look into it in more depth, try
and workout more closely what the composition of such an archive would end
up being.


Thanks

Glenn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://spi-inc.org/pipermail/spi-general/attachments/20020416/49f75857/attachment.pgp


More information about the Spi-general mailing list