The urge to maintain binary packages

[DutchDaemon]

This has now gone way off-topic. Either wrap this up or take it to a new topic.

 

[piggy]

This has now gone way off-topic. Either wrap this up or take it to a new topic.

I do agree this thread is going OT, then I'm not agree it is solved. It will be solved when Freebsd foundation do have a binary manager. So it is not solved.

 

[vermaden]

There is also other 'temporary sollution' for that problem (binary updates).

Use pkg_upgrade from sysutils/bsdadminscripts to update single packages (pkg_upgrade -r -R mplayer) or whole collection of packages (pkg_upgrade -a -C), it will grab latest available packages built for the STABLE tree.

Other sollution is to use portmaster but only when recompiling is needed (audio/lame for example) or when portaudit will show some vulnerabilities and binary package is still not built.

Other useful command is to use portmaster --check-depends after pkg_upgrade work is done.

I generally check for new packages like that:
# portsnap fetch update (update the Ports tree)
# portmaster -L --index-only | grep -i ' new ' (check what new versions are available)
# portaudit -Fda (check vulnerabilities)
# pkg_updating -d $( ls -ltr -D '%Y%m%d' /var/db/pkg | awk 'END{print $6}' ) (check notes from /usr/ports/UPDATING)

... then update everything that really needed to be updated (not only because the are newer versions) with

# pkg_upgrade -a -C (update everything binary)
# portmaster --check-depends (fix +REQUIRED_BY dependencies)

... or by source way if there is no other way, for all newer packages:

# portmaster -y --no-confirm -a --packages-if-newer -m 'BATCH=yes' -d
# portmaster --check-depends"

... or just a single port/package:

# portmaster -y --no-confirm --packages-if-newer -m 'BATCH=yes' -d ${NAME}
# portmaster --check-depends"

 

[jrm@]

How do you think, the issues of users submitting malware could be minimized?

I don't know, that's why I asked.

Right now we are trusting someone associated with the project who builds packages and puts them on FreeBSD servers. Yes, that's a heck of a lot better than trusting a package submitted by some random user. But, I just (naively) thought that with all those idle CPUs out there and the need for packages there might be some solution. Our group has a cluster with over a 100 CPUs and there are days when they are all idle. I would love to be able to donate packages, if I could somehow get credentials/trust to do so.

The problem reminds me off some chatter a few years back about distributed compilation over networks.

In the meantime, like others have suggested, build servers are pretty helpful. I just do:

On the build server:
% sudo portsnap fetch update; pkg_version -Ivl'<' # check for new ports
% sudo portmaster -g <some_big_port>,
make /usr/ports/packages web accessible

On the slow boxes:
% sudo portsnap fetch update
% sudo env PACKAGESITE="http://<buildserver>/pkg/" portmaster -PP <some_big_port>.

 

[SirDice]

But, I just (naively) thought that with all those idle CPUs out there and the need for packages there might be some solution. Our group has a cluster with over a 100 CPUs and there are days when they are all idle. I would love to be able to donate packages, if I could somehow get credentials/trust to do so.

Hmmm... Instead of Folding@Home we could have Packaging@Home :e

 

[ahavatar]

It's a logistics problem. Some ports are stand-alone and it's doable almost in real time to offer binary packages, but a port like perl - all the ports depending on it need to be updated, and there are hundreds of ports depending on perl. Doing such many ports real time is a serious business(tm).