So I'm guessing the answer is: No, nobody has heard of a package manager that does this on its own.
On 9/20/07, Charles Steinkuehler [email protected] wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Billy Crook wrote:
Good point. The easiest way to secure it would be for the service to trust the other machines based on their root password. If they don't match, don't trust; if they do, then they're either controlled by the same person or at least one of the admins is a moron. I was also assuming you would only trust packages signed by your distro, in which case, even if someone broke into your house and put a machine on your network, its rogue packages would easily be detected and ignored.
As long as the repository is properly secured against man in the middle attacks you should be safe with the proxy approach I mentioned, or with any other sort of distributed download/storage. Exactly *HOW* the file gets onto the system shouldn't matter to the verification tools.
And if the repository/packaging tools aren't secure against MitM attacks, it's not really secure anyway (unless you know and trust every link between you and the repository).
Local repositories have to be set up, and maintained by people. The package manager is 'just there'. I'm surprised the main distros haven't came up with a clever way like this to save on their bandwidth bills.
Indeed. And using a transparent proxy approach, it shouldn't be hard to make a pre-configured proxy system that would require minimal setup on the server side (how big and where would you like the repository cache), and little or no setup on the client end (could require pointing to the 'local' repository or maybe even auto-discover).
This seems easy enough someone should throw together a debian package for it. Oh wait...why not look to see if someone else has done this already?
$ apt-cache search apt cache alevt - X11 Teletext/Videotext browser approx - caching proxy server for Debian archive files apt-cacher - caching proxy system for Debian package and source files apt-file - APT package searching utility -- command-line interface apt-move - Maintain Debian packages in a package pool apt-proxy - Debian archive proxy and partial mirror builder apt-rdepends - Recursively lists package dependencies bmagic - C++ template library for efficient platform independent bitsets gpsbabel - GPS file conversion plus transfer to/from GPS units kio-apt - an apt-cache ioslave for KDE libapt-pkg-perl - Perl interface to libapt-pkg sg3-utils - Utilities for working with generic SCSI devices wajig - simplified Debian package management front end
Looks like approx, apt-cacher, and apt-proxy all do what you're looking for, with the caveat that files are stored on one machine, and not distributed across all client systems.
Charles Steinkuehler [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG8s/uLywbqEHdNFwRAlybAKDys2w9D8uT+M+Tnon/zMnUEeVr2QCfaJ/b Qu/oHzqk/hLEkvvzCr6IGpM= =dMt/ -----END PGP SIGNATURE-----