[aur-general] bit torrent AUR
Howdy, The recent AUR migration got me to wondering how difficult it would be to set up the AUR as a p2p model with something like bit torrent. I am not at this point even suggesting that it be implemented, I am more just curious about the challenges of such a thing. Thinking about it, there would have to be some kind of security process in place to make sure PKGBUILDs were not modified and retrieved from only one source. Maybe a way to mark certain machines as trusted, and/or setting a minimum of distributers that must agree on the validity of the PKGBUILD in question. I am by no means an expert on this stuff but if something like this were done, and if it worked, it could even be expanded to community packages as well, meaning that any machine with a cache could also serve as a mirror for those packages. So, is something like this feasible? Thanks, Storm -- ⛈🐲 Accessible low cost computers for everyone! https://stormux.org Get my public PGP key: gpg --recv-key 43DDC193 The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones. "I've seen the tempest in darkest nights I've faced the eyes of Thor" Stormwarrior - Heading Northe
On July 25, 2020 5:06:01 AM UTC, Storm Dragon via aur-general <aur-general@archlinux.org> wrote:
Howdy,
The recent AUR migration got me to wondering how difficult it would be to set up the AUR as a p2p model with something like bit torrent. I am not at this point even suggesting that it be implemented, I am more just curious about the challenges of such a thing.
Thinking about it, there would have to be some kind of security process in place to make sure PKGBUILDs were not modified and retrieved from only one source. Maybe a way to mark certain machines as trusted, and/or setting a minimum of distributers that must agree on the validity of the PKGBUILD in question.
I am by no means an expert on this stuff but if something like this were done, and if it worked, it could even be expanded to community packages as well, meaning that any machine with a cache could also serve as a mirror for those packages. So, is something like this feasible?
Thanks, Storm
-- ⛈🐲 Accessible low cost computers for everyone! https://stormux.org Get my public PGP key: gpg --recv-key 43DDC193 The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones. "I've seen the tempest in darkest nights I've faced the eyes of Thor" Stormwarrior - Heading Northe
Probably feasible, but it'd be a pain in the ass to update PKGBUILDs for AUR packages and so, not really a great idea. Plus, git already does most of what's needed. Likely, anyone could set up a mirror for the AUR by crawling through it and cloning all the packages, so it's really only centralized because no one bothers mirroring it. I really don't see why you'd want to share it over bit torrent to be honest.
On Sat, Jul 25, 2020 at 08:49:03AM +0000, Kusoneko wrote:
Probably feasible, but it'd be a pain in the ass to update PKGBUILDs for AUR packages and so, not really a great idea. Plus, git already does most of what's needed. Likely, anyone could set up a mirror for the AUR by crawling through it and cloning all the packages, so it's really only centralized because no one bothers mirroring it. I really don't see why you'd want to share it over bit torrent to be honest.
Ah, that makes sense, especially with trying to make it secure. Once a PKGBUILD updated, it would have to be updated on several instances before it would be considered valid. The idea of mirroring based on git sounds interesting though. Thanks, Storm -- ⛈🐲 Accessible low cost computers for everyone! https://stormux.org Get my public PGP key: gpg --recv-key 43DDC193 The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones. "Listen up to ancient tales of monsters, zombies, ghosts 'bout creatures rising from the graves to haunt the living world" The Other - Beware of Ghouls
Also, the AUR only contains the PKGBUILD and associated files (text files). You wouldn't see much benefit there. The real bandwidth usage is in downloading the source file, and there's no way to do that over torrent. On Sat, Jul 25, 2020, 4:13 AM Storm Dragon via aur-general < aur-general@archlinux.org> wrote:
On Sat, Jul 25, 2020 at 08:49:03AM +0000, Kusoneko wrote:
Probably feasible, but it'd be a pain in the ass to update PKGBUILDs for AUR packages and so, not really a great idea. Plus, git already does most of what's needed. Likely, anyone could set up a mirror for the AUR by crawling through it and cloning all the packages, so it's really only centralized because no one bothers mirroring it. I really don't see why you'd want to share it over bit torrent to be honest.
Ah, that makes sense, especially with trying to make it secure. Once a PKGBUILD updated, it would have to be updated on several instances before it would be considered valid. The idea of mirroring based on git sounds interesting though.
Thanks, Storm
-- ⛈🐲 Accessible low cost computers for everyone! https://stormux.org Get my public PGP key: gpg --recv-key 43DDC193 The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones. "Listen up to ancient tales of monsters, zombies, ghosts 'bout creatures rising from the graves to haunt the living world" The Other - Beware of Ghouls
On 25/07/2020 10:49, Kusoneko wrote:
On July 25, 2020 5:06:01 AM UTC, Storm Dragon via aur-general <aur-general@archlinux.org> wrote:
Howdy,
The recent AUR migration got me to wondering how difficult it would be to set up the AUR as a p2p model with something like bit torrent. I am not at this point even suggesting that it be implemented, I am more just curious about the challenges of such a thing.
Thinking about it, there would have to be some kind of security process in place to make sure PKGBUILDs were not modified and retrieved from only one source. Maybe a way to mark certain machines as trusted, and/or setting a minimum of distributers that must agree on the validity of the PKGBUILD in question.
I am by no means an expert on this stuff but if something like this were done, and if it worked, it could even be expanded to community packages as well, meaning that any machine with a cache could also serve as a mirror for those packages. So, is something like this feasible?
Thanks, Storm
-- ⛈🐲 Accessible low cost computers for everyone! https://stormux.org Get my public PGP key: gpg --recv-key 43DDC193 The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones. "I've seen the tempest in darkest nights I've faced the eyes of Thor" Stormwarrior - Heading Northe
Probably feasible, but it'd be a pain in the ass to update PKGBUILDs for AUR packages and so, not really a great idea. Plus, git already does most of what's needed. Likely, anyone could set up a mirror for the AUR by crawling through it and cloning all the packages, so it's really only centralized because no one bothers mirroring it. I really don't see why you'd want to share it over bit torrent to be honest.
If you want to setup a mirror talk with arch-devops on either irc/mail. Don't abuse our services please :)
On Sat, Jul 25, 2020 at 9:07 AM Storm Dragon via aur-general <aur-general@archlinux.org> wrote:
Howdy,
The recent AUR migration got me to wondering how difficult it would be to set up the AUR as a p2p model with something like bit torrent. I am not at this point even suggesting that it be implemented, I am more just curious about the challenges of such a thing.
Thinking about it, there would have to be some kind of security process in place to make sure PKGBUILDs were not modified and retrieved from only one source. Maybe a way to mark certain machines as trusted, and/or setting a minimum of distributers that must agree on the validity of the PKGBUILD in question.
I am by no means an expert on this stuff but if something like this were done, and if it worked, it could even be expanded to community packages as well, meaning that any machine with a cache could also serve as a mirror for those packages. So, is something like this feasible?
Thanks, Storm
-- ⛈ Accessible low cost computers for everyone! https://stormux.org Get my public PGP key: gpg --recv-key 43DDC193 The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones. "I've seen the tempest in darkest nights I've faced the eyes of Thor" Stormwarrior - Heading Northe
Using P2P for repository packages (like core, extra, community etc.) seems like a good idea. For the AUR, it means that there need to be trusted machines building AUR packages and generating hashes for them, basically the same amount of work as just making a new repository containing all the packages in the AUR.
participants (5)
-
Jeff Hubbard
-
Jelle van der Waa
-
Kusoneko
-
Nick Shvelidze
-
Storm Dragon