Suse has for so long offered their packages through a FTP, and now it even offers more packages in the repository than in the CDs/DVD. But the problem is the people couldn't contribute RPM packages as in other distros. Let's say, for example, Mandriva. As long as I have seen, it has a contrib repository where you can become a contributor and commit RPM packages. Now that openSUSE has come, I think it would be cool to create a contrib repository where the people could join and maintain their packages. There would still be an officially supported repository like now, but whoever wanted could ask the repository organizers for permission to take a particular package if nobody is responsible for it or if it doesn't exist, and maintain it. That way the contrib repository could contain packages not included in the main repository, so the people would have a lot more packages available for Suse. That would contribute to create a packagers community and having much more packages might improve the market share of Suse. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
Hi, On Wednesday, August 10, 2005 at 19:15:43, Víctor Fernández Martínez wrote:
Suse has for so long offered their packages through a FTP, and now it even offers more packages in the repository than in the CDs/DVD. But the problem is the people couldn't contribute RPM packages as in other distros. Let's say, for example, Mandriva. As long as I have seen, it has a contrib repository where you can become a contributor and commit RPM packages. Now that openSUSE has come, I think it would be cool to create a contrib repository where the people could join and maintain their packages. There would still be an officially supported repository like now, but whoever wanted could ask the repository organizers for permission to take a particular package if nobody is responsible for it or if it doesn't exist, and maintain it. That way the contrib repository could contain packages not included in the main repository, so the people would have a lot more packages available for Suse. That would contribute to create a packagers community and having much more packages might improve the market share of Suse.
We have a great concept "in mind" that will takle exactly this "problem". See the Roadmap (http://opensuse.org/index.php/Roadmap) Early 2006 A first version of the openSUSE build server will appear. Everyone will be able to build and provide packages for the openSUSE community. Henne -- Henne Vogelsang, Subsystems "Rules change. The Game remains the same." - Omar (The Wire)
On Wednesday 10 August 2005 19:15, Víctor Fernández Martínez wrote:
Suse has for so long offered their packages through a FTP, and now it even offers more packages in the repository than in the CDs/DVD. But the problem is the people couldn't contribute RPM packages as in other distros. Let's say, for example, Mandriva. As long as I have seen, it has a contrib repository where you can become a contributor and commit RPM packages.
Yes, you are right, this is not sufficient. We do work on a solution for this, which will be the build server in early next year.
Now that openSUSE has come, I think it would be cool to create a contrib repository where the people could join and maintain their packages. There would still be an officially supported repository like now, but whoever wanted could ask the repository organizers for permission to take a particular package if nobody is responsible for it or if it doesn't exist, and maintain it. That way the contrib repository could contain packages not included in the main repository, so the people would have a lot more packages available for Suse. That would contribute to create a packagers community and having much more packages might improve the market share of Suse.
For now it is only possible to create an own YaST repository: http://opensuse.org/index.php/Installation_Sources (YUM repos should also work now). I want to create a Wiki page today listing the existing additional repositories in this world. That can get extended than by everyone. Yes, this can't be the default solution for the long run. And it won't be :) bye adrian -- Adrian Schroeter SuSE AG, Maxfeldstr. 5, 90409 Nuernberg, Germany email: adrian@suse.de
El Jueves, 11 de Agosto de 2005 10:38, Adrian Schroeter escribió:
On Wednesday 10 August 2005 19:15, Víctor Fernández Martínez wrote:
Suse has for so long offered their packages through a FTP, and now it even offers more packages in the repository than in the CDs/DVD. But the problem is the people couldn't contribute RPM packages as in other distros. Let's say, for example, Mandriva. As long as I have seen, it has a contrib repository where you can become a contributor and commit RPM packages.
Yes, you are right, this is not sufficient. We do work on a solution for this, which will be the build server in early next year.
And that's great.
Now that openSUSE has come, I think it would be cool to create a contrib repository where the people could join and maintain their packages. There would still be an officially supported repository like now, but whoever wanted could ask the repository organizers for permission to take a particular package if nobody is responsible for it or if it doesn't exist, and maintain it. That way the contrib repository could contain packages not included in the main repository, so the people would have a lot more packages available for Suse. That would contribute to create a packagers community and having much more packages might improve the market share of Suse.
For now it is only possible to create an own YaST repository:
Well, I already have a YaST repository. ;) It's not very serious and I haven't signed the packages with GPG yet but now I know how so I'll do it soon. If you're curious: http://www.polinux.upv.es/~vfernandez/suse/ But I would like to contribute my RPMs in a more serious way. I'll have to wait.
(YUM repos should also work now). I want to create a Wiki page today listing the existing additional repositories in this world. That can get extended than by everyone.
Yes, this can't be the default solution for the long run. And it won't be :)
Good idea anyway. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
Where do I find a tutorial on compiling OpenSUSE from source? I'd like to recompile for my own machine, 686 vs. 386, and possibly do a couple other tweaks. If there's no tutorial - is there one on compiling SUSE? Anything else I need to know? RP
You may use y2pmbuild to recompile the packages. It's included in the package "y2pmsh". Perhaps tweaking the .rpmrc in a way like this you can make the packages compile for i686 by default: buildarchtranslate: i386: i686 buildarchtranslate: i486: i686 buildarchtranslate: i586: i686 buildarchtranslate: i686: i686 But I don't think you're going to see any difference from the default compilation for i586. Tweaking things like hdparm will probably have more impact in the performance. BTW, I get DMA disabled in Suse 9.3 by default when I install it. I really wonder why. :S El Jueves, 11 de Agosto de 2005 11:08, Renegade Penguin escribió:
Where do I find a tutorial on compiling OpenSUSE from source? I'd like to recompile for my own machine, 686 vs. 386, and possibly do a couple other tweaks.
If there's no tutorial - is there one on compiling SUSE?
Anything else I need to know?
RP
-- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
I use an /etc/rpmrc optflags: i686 -O2 -mtune=i686 -march=i686 -fomit-frame-pointer -funroll-loops -fforce-mem -fforce-addr -fexpensive-optimizations optflags: i586 -O2 -mtune-i686 -march=i686 -fomit-frame-pointer -funroll-loops -fforce-mem -fforce-addr -fexpensive-optimizations ############################################################# # Canonical arch names and numbers arch_canon: i686: i686 1 ############################################################# # Canonical OS names and numbers os_canon: Linux: Linux 1 ############################################################# # For a given uname().machine, the default build architecture buildarchtranslate: i686: i686 buildarchtranslate: i586: i686 ############################################################# # Architecture compatibility arch_compat: i686: i686 buildarch_compat: i686: i686
From my experience the difference comes in "snappyness" of the desktop and much faster performance on starting applications. Personally I have done tests that show an up to 200%+ performance increase (based on tests /comparisons we did with Yoper a while back). Depending of course on which distro you compare it too.
vfernandez@polinux.upv.es 08/11/05 9:23 pm >>> You may use y2pmbuild to recompile the packages. It's included in the package "y2pmsh". Perhaps tweaking the .rpmrc in a way like this you can make the
Don't forget that in i686 you have all those nice little features like mmx and 3dnow, which make GUI applications just so much faster. From real life experience with Yoper/Gentoo I can only say that I can't wait to have my SuSE optimised. One could actually just optimise glibc, xorg, kde, qt, firefox and the majour gnome libs, plus kernel (with performance patches) and probably get really close without having to recompile the whole distro. IMHO ...... of course. packages compile for i686 by default: buildarchtranslate: i386: i686 buildarchtranslate: i486: i686 buildarchtranslate: i586: i686 buildarchtranslate: i686: i686 But I don't think you're going to see any difference from the default compilation for i586. Tweaking things like hdparm will probably have more impact in the performance. BTW, I get DMA disabled in Suse 9.3 by default when I install it. I really wonder why. :S El Jueves, 11 de Agosto de 2005 11:08, Renegade Penguin escribió:
Where do I find a tutorial on compiling OpenSUSE from source? I'd like to recompile for my own machine, 686 vs. 386, and possibly do a couple other tweaks.
If there's no tutorial - is there one on compiling SUSE?
Anything else I need to know?
RP
-- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org. --------------------------------------------------------------------- To unsubscribe, e- mail: opensuse- unsubscribe@opensuse.org For additional commands, e- mail: opensuse- help@opensuse.org
On Thursday, 11. August 2005 11:08, Renegade Penguin wrote:
Where do I find a tutorial on compiling OpenSUSE from source? I'd like to recompile for my own machine, 686 vs. 386, and possibly do a couple other tweaks.
If there's no tutorial - is there one on compiling SUSE?
Anything else I need to know?
just FYI: by default all packages where build with i586. i dont think you gain much speed ups with switching to i686. the most important packages are shipped with arch i686 anyway just my 2 cents darix
mrueckert@suse.de 08/11/05 9:54 pm >>> On Thursday, 11. August 2005 11:08, Renegade Penguin wrote: Where do I find a tutorial on compiling OpenSUSE from source? I'd
Have been running and testing 686 distros and have been running 586 ones and with all nice features i686 cpu's have mmx 3dnow and so on I would think that on a GUI level the increase is staggering. From a server perspective it is probably as you say. like
to recompile for my own machine, 686 vs. 386, and possibly do a couple other tweaks.
If there's no tutorial - is there one on compiling SUSE?
Anything else I need to know?
just FYI: by default all packages where build with i586. i dont think you gain much speed ups with switching to i686. the most important packages are shipped with arch i686 anyway just my 2 cents darix --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
On Thu, Aug 11, 2005 at 03:26:08PM -0600, Andreas Girardet wrote:
Have been running and testing 686 distros and have been running 586 ones and with all nice features i686 cpu's have mmx 3dnow and so on I would think that on a GUI level the increase is staggering. From a server perspective it is probably as you say.
First, we already compile with -march=i586 -mtune=i686 (instruction set i586, but schedule instructions for i686) Also, just enabling -mtune=i686 -march=i686 will not magically add MMX or 3DNOW or SSE instructions to the code. (gcc 4.0 lacks the auto vectorizer that will be to some degree in 4.1.) -fomit-frame-pointer might give the most speedup on x86, but lead to less debuggable programs. In general the problem with "slowness" usually does not lie in the compiler options, but in the general algorithms used by the applications, memory usage etc. Ciao, Marcus
On Fri, Aug 12, 2005 at 5:30 pm, in message <20050812053046.GA14401@suse.de>, meissner@suse.de wrote: On Thu, Aug 11, 2005 at 03:26:08PM - 0600, Andreas Girardet wrote: Have been running and testing 686 distros and have been running 586 ones and with all nice features i686 cpu's have mmx 3dnow and so on I would think that on a GUI level the increase is staggering. From a server perspective it is probably as you say.
First, we already compile with - march=i586 - mtune=i686 (instruction set i586, but schedule instructions for i686)
Also, just enabling - mtune=i686 - march=i686 will not magically add MMX or 3DNOW or SSE instructions to the code. (gcc 4.0 lacks the auto vectorizer that will be to some degree in 4.1.)
- fomit- frame- pointer might give the most speedup on x86, but lead to less debuggable programs.
In general the problem with "slowness" usually does not lie in the compiler options, but in the general algorithms used by the applications, memory usage etc.
Ciao, Marcus
Hi Marcus Thanks for the update. Yes you are right and maybe this is futile effort, since as you say we are already compiling it quite highly optimised. Good food for thought .... and thanks for some technical detail, which I was not aware. In general however I wonder why on the same system Yoper or Gentoo just feels that much faster than SuSE or certainly much faster than RedHat? It certainly is a very subjective "feeling" but one that is confirmed by many others. Also people switching to NLD from Windows within Novell notice the speedloss that comes with it. They say NLD is just that much slower than Windows. One of the reasons I decided to do Yoper in first place was to make a Desktop just as snappy as windows as it just is not the case on a normal setup. Maybe the Con Kolivas patches and prelinking speed things up enough to get by. Just wondering from experience with thousands of people's feedback, why if it is true what you say,many people claim that some distro's are faster than others? Maybe I should just bag this effort and concentrate on adding additional packages and debugging..... but I am not totally convinced yet ;) and I do miss that snappiness that I was used to for all those years I ran my own compiled Linux. Maybe you can shed some more technical detail as I do lack the knowledge to fully understand the issues. Am not a programmer after all.
"Andreas Girardet"
In general however I wonder why on the same system Yoper or Gentoo just feels that much faster than SuSE or certainly much faster than RedHat? It certainly is a very subjective "feeling" but one that is confirmed by many others. Also people switching to NLD from Windows within Novell notice the speedloss that comes with it. They say NLD is just that much slower than Windows. One of the reasons I decided to do Yoper in first place was to make a Desktop just as snappy as windows as it just is not the case on a normal setup. Maybe the Con Kolivas patches and prelinking speed things up enough to get by.
Prelinking is supported by SUSE Linux and I would give it a try. What are the Con Kolivas patches? Can you post a URL?
Just wondering from experience with thousands of people's feedback, why if it is true what you say,many people claim that some distro's are faster than others?
Maybe I should just bag this effort and concentrate on adding additional packages and debugging..... but I am not totally convinced yet ;) and I do miss that snappiness that I was used to for all those years I ran my own compiled Linux. Maybe you can shed some more technical detail as I do lack the knowledge to fully understand the issues. Am not a programmer after all.
One think is that features slowdown the system. We need to have an universal system that does everything - and therefore is overdesigned for a lot of cases. If anybody comes up with some great ideas on how to improve performance, let's test those and integrate them where possible, Andreas -- Andreas Jaeger, aj@suse.de, http://www.suse.de/~aj SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
El Sábado, 13 de Agosto de 2005 18:19, Andreas Jaeger escribió:
Prelinking is supported by SUSE Linux and I would give it a try.
What are the Con Kolivas patches? Can you post a URL?
Patches to the kernel whose main purpose is to improve the system responsiveness to have a better desktop experience (but they work well in a server too). There's more info in his website: http://members.optusnet.com.au/ckolivas/kernel/ It's easy to find in Google. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
Hello Andreas Replying to your email gets rid of the entire message you wrote ..... I use groupwise
Prelinking is supported by SUSE Linux and I would give it a try.
I have and it does get startup times faster and I also run the following, which make the system in general more responsive, but as I said even compiling xorg completely for i686, which I am also doing for my own system make it really responsive. Compiling QT and KDE on top of that would certainly give it another boost.
What are the Con Kolivas patches? Can you post a URL?
http://members.optusnet.com.au/ckolivas/kernel/
One think is that features slowdown the system. We need to have an universal system that does everything - and therefore is overdesigned for a lot of cases.
I understand, however as far as I can recall Gentoo also has quite a lot of dependencies in their trees, but things are faster.
If anybody comes up with some great ideas on how to improve performance, let's test those and integrate them where possible,
1.) Prelink system out of the box if it is a desktop and add cron job (it is not enough to allow that to be done since a normal user will never do it by himself. 2.) Recompile with more aggressive opimisations at least: xorg, AT, kde, gnome. 3.) Add Con Kolivas patches to a special desktop kernel. Do all 3 on your own system, Andreas and you will see, that is is very much worth it. I currently do it for my nld laptop (apart from kde and gnome) and have a system that is much more responsive. With autobuild it should be doable to just do a testrun, prelink it and roll your own Kolivas kernel and you will be suprised!
Hi RP I would love to join your effort. Am really interested in making a 686 version of openSUSE and possibly putting some additional performance tweaks in here and there (Con Kolivas Kernel patches. In general I would also want to create a 1 CD installation source and add synaptic to the base and link it to an apt repository. That way all the rest can then be installed after install. In theory this should be doable. I have previously created the Yoper distro from scratch optimised for 686 and doing the same with existing rpm's should certainly be possible/doable. Have started 2 days ago :) .... I can also offer a common buildserver for this project on a 100Mbit network/website. Anyone else interested?
renegadepenguin@comcast.net 08/11/05 9:08 pm >>> Where do I find a tutorial on compiling OpenSUSE from source? I'd like
to recompile for my own machine, 686 vs. 386, and possibly do a couple other tweaks. If there's no tutorial - is there one on compiling SUSE? Anything else I need to know? RP
This sounds interesting. I am in as well.
--- Andreas Girardet
Hi RP
I would love to join your effort. Am really interested in making a 686 version of openSUSE and possibly putting some additional performance tweaks in here and there (Con Kolivas Kernel patches. In general I would also want to create a 1 CD installation source and add synaptic to the base and link it to an apt repository. That way all the rest can then be installed after install.
In theory this should be doable. I have previously created the Yoper distro from scratch optimised for 686 and doing the same with existing rpm's should certainly be possible/doable. Have started 2 days ago :) ....
I can also offer a common buildserver for this project on a 100Mbit network/website.
Anyone else interested?
renegadepenguin@comcast.net 08/11/05 9:08 pm >>>
Where do I find a tutorial on compiling OpenSUSE from source? I'd like
to recompile for my own machine, 686 vs. 386, and possibly do a couple
other tweaks.
If there's no tutorial - is there one on compiling SUSE?
Anything else I need to know?
RP
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Hi, On Thu, 11 Aug 2005, Víctor Fernández Martínez wrote:
El Jueves, 11 de Agosto de 2005 10:38, Adrian Schroeter escribió:
On Wednesday 10 August 2005 19:15, Víctor Fernández Martínez wrote:
Well, I already have a YaST repository. ;) It's not very serious and I haven't signed the packages with GPG yet but now I know how so I'll do it soon. If you're curious:
If you will give me an rsync access to your repository, I would like to mirror your repositories at ftp://ftp.gwdg.de/pub/linux/misc/suser-vfernand/ http://ftp.gwdg.de/pub/linux/misc/suser-vfernand/ rsync://ftp.gwdg.de/pub/linux/misc/suser-vfernand/ and include them into the apt repositories at ftp.gwdg.de.
But I would like to contribute my RPMs in a more serious way. I'll have to wait.
No, don't wait. The "suser" apt repositories at ftp.gwdg.de should be the base for opensuse/contrib. I am not the one to decide this, but I feel it is the next step. Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)
El Viernes, 12 de Agosto de 2005 01:00, Eberhard Moenkeberg escribió:
Hi,
On Thu, 11 Aug 2005, Víctor Fernández Martínez wrote:
El Jueves, 11 de Agosto de 2005 10:38, Adrian Schroeter escribió:
On Wednesday 10 August 2005 19:15, Víctor Fernández Martínez wrote:
Well, I already have a YaST repository. ;) It's not very serious and I haven't signed the packages with GPG yet but now I know how so I'll do it soon. If you're curious:
If you will give me an rsync access to your repository, I would like to mirror your repositories at
And how can I? I don't know very well how rsync works. Should I better contact my administrator or can I do it by myself? (I obviously don't have admin permissions)
and include them into the apt repositories at ftp.gwdg.de.
But I would like to contribute my RPMs in a more serious way. I'll have to wait.
No, don't wait. The "suser" apt repositories at ftp.gwdg.de should be the base for opensuse/contrib. I am not the one to decide this, but I feel it is the next step.
Well, I could rebuild the packages signing them with a GPG key, tweak a bit the repository and I think it would be ready for general usage. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
Hi, On Fri, 12 Aug 2005, Víctor Fernández Martínez wrote:
El Viernes, 12 de Agosto de 2005 01:00, Eberhard Moenkeberg escribió:
On Thu, 11 Aug 2005, Víctor Fernández Martínez wrote:
El Jueves, 11 de Agosto de 2005 10:38, Adrian Schroeter escribió:
On Wednesday 10 August 2005 19:15, Víctor Fernández Martínez wrote:
Well, I already have a YaST repository. ;) It's not very serious and I haven't signed the packages with GPG yet but now I know how so I'll do it soon. If you're curious:
If you will give me an rsync access to your repository, I would like to mirror your repositories at
And how can I? I don't know very well how rsync works. Should I better contact my administrator or can I do it by myself? (I obviously don't have admin permissions)
Yes, look at this: emoenke@ftp:0 01:16:01 /mirr/bin > rsync www.polinux.upv.es:: web-formacion web del grupo de trabajo Formación web-cluster web del grupo de trabajo Cluster web-grafix web del grupo de trabajo Grafix web-upvtex web de UPVTeX web-msn4lin web de msn4lin emoenke@ftp:0 01:16:55 /mirr/bin > So www.polinux.upv.es already has an rsync daemon running, the admin simply has to add a module for you. If he likes to restrict access, I would prefer the user:pass method against the IP range method.
and include them into the apt repositories at ftp.gwdg.de.
But I would like to contribute my RPMs in a more serious way. I'll have to wait.
No, don't wait. The "suser" apt repositories at ftp.gwdg.de should be the base for opensuse/contrib. I am not the one to decide this, but I feel it is the next step.
Well, I could rebuild the packages signing them with a GPG key, tweak a bit the repository and I think it would be ready for general usage.
OK, if you do, just deposit your rpm key just at top of your repository, and Richard Bos (the master of apt4rpm for SUSE, see http://linux01.gwdg.de/apt4rpm/ - he still is and will continue, but last month SUSE did neglect to make him an employee - crazy...) will grab your key into the apt "rpmkeys" component. Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)
El Viernes, 12 de Agosto de 2005 01:27, Eberhard Moenkeberg escribió:
Hi,
On Fri, 12 Aug 2005, Víctor Fernández Martínez wrote:
El Viernes, 12 de Agosto de 2005 01:00, Eberhard Moenkeberg escribió:
On Thu, 11 Aug 2005, Víctor Fernández Martínez wrote:
El Jueves, 11 de Agosto de 2005 10:38, Adrian Schroeter escribió:
On Wednesday 10 August 2005 19:15, Víctor Fernández Martínez wrote:
Well, I already have a YaST repository. ;) It's not very serious and I haven't signed the packages with GPG yet but now I know how so I'll do it soon. If you're curious:
If you will give me an rsync access to your repository, I would like to mirror your repositories at
And how can I? I don't know very well how rsync works. Should I better contact my administrator or can I do it by myself? (I obviously don't have admin permissions)
Yes, look at this:
emoenke@ftp:0 01:16:01 /mirr/bin > rsync www.polinux.upv.es:: web-formacion web del grupo de trabajo Formación web-cluster web del grupo de trabajo Cluster web-grafix web del grupo de trabajo Grafix web-upvtex web de UPVTeX web-msn4lin web de msn4lin emoenke@ftp:0 01:16:55 /mirr/bin >
So www.polinux.upv.es already has an rsync daemon running, the admin simply has to add a module for you. If he likes to restrict access, I would prefer the user:pass method against the IP range method.
Ok, let me ask my admin about it and I'll tell you.
and include them into the apt repositories at ftp.gwdg.de.
But I would like to contribute my RPMs in a more serious way. I'll have to wait.
No, don't wait. The "suser" apt repositories at ftp.gwdg.de should be the base for opensuse/contrib. I am not the one to decide this, but I feel it is the next step.
Well, I could rebuild the packages signing them with a GPG key, tweak a bit the repository and I think it would be ready for general usage.
OK, if you do, just deposit your rpm key just at top of your repository, and Richard Bos (the master of apt4rpm for SUSE, see http://linux01.gwdg.de/apt4rpm/ - he still is and will continue, but last month SUSE did neglect to make him an employee - crazy...) will grab your key into the apt "rpmkeys" component.
I don't have the key yet but I'll generate it and tell you later. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
Hi, Eberhard Moenkeberg schrieb:
If you will give me an rsync access to your repository, I would like to mirror your repositories at
ftp://ftp.gwdg.de/pub/linux/misc/suser-vfernand/ http://ftp.gwdg.de/pub/linux/misc/suser-vfernand/ rsync://ftp.gwdg.de/pub/linux/misc/suser-vfernand/
and include them into the apt repositories at ftp.gwdg.de.
I have a question... maybe it's not worth to discuss... but I'm concerned with this for a while now. First of all: I have no problems with Victor becoming an suser or so. I'm using the repositorys of the susers, too. And i like it, that there are a lot of packages you can't get elsewhere. I have just a Problem with the concept of the suser-trees. As some susers, I've talked to, told me, it wasn't necessary for them, to disclose their identity or so. They had not to tell you (or another admin, i don't know...) their real name, nor a copy of the identification card or something like that... the rpms are only gpg-signed, so that it is sure, that someone called suser-xy has built the packages. I see the problem, that it could be possible, to someone wanting to damage the SUSE community, to build packages with scripts who do rm -rf / or something similar, and if the rpm is given a version-number higher as the ones from SUSE or Packman, a lot (all?) of the apt4rpm-User will get a packages with bad scripts... And yes, there are a lot of people wanting to damage the linux-communitys. About a year ago, there has been a DDoS - attack with more of 90000 IPs on one of the servers of http://linuxforen.de. I can't really imagine, why someone does things like that, but there were news, that a lot of linux-side-companys were attacked like that, too. For this people, who want to disadvantage linux-community, would be the easiest to upload bad rpms. I don't know, how this is managed by Debian or other community-projects, or if the packages are checked automatically by some way... greets Soeren
Hi, On Fri, 12 Aug 2005, [ISO-8859-15] Sören Wengerowsky wrote:
Eberhard Moenkeberg schrieb:
If you will give me an rsync access to your repository, I would like to mirror your repositories at
ftp://ftp.gwdg.de/pub/linux/misc/suser-vfernand/ http://ftp.gwdg.de/pub/linux/misc/suser-vfernand/ rsync://ftp.gwdg.de/pub/linux/misc/suser-vfernand/
and include them into the apt repositories at ftp.gwdg.de.
I have a question... maybe it's not worth to discuss... but I'm concerned with this for a while now.
First of all: I have no problems with Victor becoming an suser or so. I'm using the repositorys of the susers, too. And i like it, that there are a lot of packages you can't get elsewhere.
I have just a Problem with the concept of the suser-trees.
As some susers, I've talked to, told me, it wasn't necessary for them, to disclose their identity or so.
They had not to tell you (or another admin, i don't know...) their real name, nor a copy of the identification card or something like that... the rpms are only gpg-signed, so that it is sure, that someone called suser-xy has built the packages.
I see the problem, that it could be possible, to someone wanting to damage the SUSE community, to build packages with scripts who do rm -rf / or something similar, and if the rpm is given a version-number higher as the ones from SUSE or Packman, a lot (all?) of the apt4rpm-User will get a packages with bad scripts...
And yes, there are a lot of people wanting to damage the linux-communitys. About a year ago, there has been a DDoS - attack with more of 90000 IPs on one of the servers of http://linuxforen.de. I can't really imagine, why someone does things like that, but there were news, that a lot of linux-side-companys were attacked like that, too. For this people, who want to disadvantage linux-community, would be the easiest to upload bad rpms.
I don't know, how this is managed by Debian or other community-projects, or if the packages are checked automatically by some way...
There is no proof against a good guy turning bad some day... Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)
El Viernes, 12 de Agosto de 2005 21:18, Eberhard Moenkeberg escribió:
There is no proof against a good guy turning bad some day...
At least some people publish their .src.rpm so it would be possible to take a look at the specfile. I really encourage everybody to publish their .src.rpm's. Of course they still can publish a modified .src.rpm which doesn't correspond to the real .src.rpm but if you don't trust them, you can build the .src.rpm. Right now there's not much more you can do. Anyway I don't think that's the bigger problem. The bigger problem is the packages might be buggy or have broken dependencies and so on, perhaps because some of them haven't been properly tested. That could mess an installation or at least cause problems. I suppose when openSUSE will open the contrib repository there will have some kind of control to the packages and you will contribute the .src.rpm, not the binary rpms, so there won't be a way to hide something. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
On Sat, 2005-08-13 at 00:04 +0200, Víctor Fernández Martínez wrote:
El Viernes, 12 de Agosto de 2005 21:18, Eberhard Moenkeberg escribió:
There is no proof against a good guy turning bad some day...
At least some people publish their .src.rpm so it would be possible to take a look at the specfile. I really encourage everybody to publish their .src.rpm's. Of course they still can publish a modified .src.rpm which doesn't correspond to the real .src.rpm but if you don't trust them, you can build the .src.rpm. Right now there's not much more you can do.
Anyway I don't think that's the bigger problem. The bigger problem is the packages might be buggy or have broken dependencies and so on, perhaps because some of them haven't been properly tested. That could mess an installation or at least cause problems.
Simple solution would be for the developers to install their own package on a clean install of the target OS and fix the dep issues or make sure the deps are available. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
El Sábado, 13 de Agosto de 2005 00:14, Ken Schneider escribió:
On Sat, 2005-08-13 at 00:04 +0200, Víctor Fernández Martínez wrote:
El Viernes, 12 de Agosto de 2005 21:18, Eberhard Moenkeberg escribió:
There is no proof against a good guy turning bad some day...
At least some people publish their .src.rpm so it would be possible to take a look at the specfile. I really encourage everybody to publish their .src.rpm's. Of course they still can publish a modified .src.rpm which doesn't correspond to the real .src.rpm but if you don't trust them, you can build the .src.rpm. Right now there's not much more you can do.
Anyway I don't think that's the bigger problem. The bigger problem is the packages might be buggy or have broken dependencies and so on, perhaps because some of them haven't been properly tested. That could mess an installation or at least cause problems.
Simple solution would be for the developers to install their own package on a clean install of the target OS and fix the dep issues or make sure the deps are available.
Yes but maintaining a clean install to test the packages is hard. You don't really know how fast the "clean" install becomes a "dirty" install. ;) Or perhaps you don't have the time to deeply test the packages and you assume they work properly since everything seems to be ok. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
On Sat, 2005-08-13 at 00:34 +0200, Víctor Fernández Martínez wrote:
El Sábado, 13 de Agosto de 2005 00:14, Ken Schneider escribió:
On Sat, 2005-08-13 at 00:04 +0200, Víctor Fernández Martínez wrote:
El Viernes, 12 de Agosto de 2005 21:18, Eberhard Moenkeberg escribió:
There is no proof against a good guy turning bad some day...
At least some people publish their .src.rpm so it would be possible to take a look at the specfile. I really encourage everybody to publish their .src.rpm's. Of course they still can publish a modified .src.rpm which doesn't correspond to the real .src.rpm but if you don't trust them, you can build the .src.rpm. Right now there's not much more you can do.
Anyway I don't think that's the bigger problem. The bigger problem is the packages might be buggy or have broken dependencies and so on, perhaps because some of them haven't been properly tested. That could mess an installation or at least cause problems.
Simple solution would be for the developers to install their own package on a clean install of the target OS and fix the dep issues or make sure the deps are available.
Yes but maintaining a clean install to test the packages is hard. You don't really know how fast the "clean" install becomes a "dirty" install. ;) Or perhaps you don't have the time to deeply test the packages and you assume they work properly since everything seems to be ok.
I will agree with that to a certain point. Perhaps an install using VMware could be used for so that there would always be a clean install. VMware does have snapshots available so that you can roll back changes. It's just a thought. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
Ken Schneider schrieb: [..]
Simple solution would be for the developers to install their own package on a clean install of the target OS and fix the dep issues or make sure the deps are available.
I thought about something like an automatic server which installs all new packages, and performs a self-test after install. For example: - are the init-scripts already ok - were directories /files deleted - ... Or maybe there should be a script local installed which warns the users, if the rpm is doing something like deleting directories, and asks then, if it should stop or sth. like this. I don't know, if that's possible to perform, but i think, we should think about something like that... greets, Soeren
Hello, Am Sonntag, 14. August 2005 10:54 schrieb Sören Wengerowsky: [...]
I thought about something like an automatic server which installs all new packages, and performs a self-test after install. For example: - are the init-scripts already ok - were directories /files deleted - ...
Or maybe there should be a script local installed which warns the users, if the rpm is doing something like deleting directories, and asks then, if it should stop or sth. like this.
I don't know, if that's possible to perform, but i think, we should think about something like that...
For installation-time issues, rpm -qp --scripts foobar.rpm should help. If you doubt a program has a run-time backdoor, check the sources. Maybe the installation-time scripts can be checked more or less automatically - but the programs can't IMHO because they are too complex. Regards, Christian Boltz -- 2.-5.9.2005: Weinfest in Insheim Bei der Landjugend: Liquid, AH-Band und Deafen Goblins Mehr Infos: www.Landjugend-Insheim.de
If you doubt a program has a run- time backdoor, check the sources.
Maybe the installation- time scripts can be checked more or less automatically - but the programs can't IMHO because they are too complex.
A reliable way to ensure security of contributions is to have rules regarding official contributions, that minimise the risk of a contribution being malignant. Similar rules exist with other distro's. All those can be checked for easily and 1.) Any contributed binary rpm's must have a corresponding src.rpm. 2.) A more stringent check is to actually only allow src.rpm's and build the contribs automatically on a central buildserver. That way we know that the binaries have not been tempered with and do have the source to later analyse in case there has been a violation. This also ensures that things build correctly and are not just hacked to build on a particular unclean system. 3.) Another one could be to force contributors to disclose their real identity. This has security implications itself, because of privacy laws in various countries. Might be a difficult one to enforce. But I personally would only want to install a package of a verified source on anything that matters. Call me paranoid. ... cannot think of anything else right now ....
Hello, Christian Boltz schrieb:
Am Sonntag, 14. August 2005 10:54 schrieb Sören Wengerowsky:
I don't know, if that's possible to perform, but i think, we should think about something like that...
For installation-time issues, rpm -qp --scripts foobar.rpm should help.
Yes.. but can you check scripts with apt, too? I think, apt works more or less automatically, so that you have no real chance to check them. A solution might be to download the packages via apt, and then check them.
If you doubt a program has a run-time backdoor, check the sources.
Maybe the installation-time scripts can be checked more or less automatically - but the programs can't IMHO because they are too complex.
Yes.. checking this might be impossible. But i think, the script kiddies who only want to damage systems will be not that inventive, and might only add a rm -rf / or so to a script. greets Soeren
On Mon, Aug 15, 2005 at 02:07:35PM +0200, Sören Wengerowsky wrote:
But i think, the script kiddies who only want to damage systems will be not that inventive, and might only add a rm -rf / or so to a script.
It only needs one to be doing this. If there is a possibilaty that somebody does this and there is way to prevent it, you should prevent it. houghi -- A fool must now and then be right by chance.
On Thursday 11 August 2005 10:38, Adrian Schroeter wrote: ...
(YUM repos should also work now). I want to create a Wiki page today listing the existing additional repositories in this world. That can get extended than by everyone.
a very first start, feel free to help :) http://www.opensuse.org/index.php/YaST_package_repository bye adrian -- Adrian Schroeter Project Manager openSUSE SuSE AG, Maxfeldstr. 5, 90409 Nuernberg, Germany email: adrian@suse.de
El Jueves, 11 de Agosto de 2005 11:27, Adrian Schroeter escribió:
On Thursday 11 August 2005 10:38, Adrian Schroeter wrote: ...
(YUM repos should also work now). I want to create a Wiki page today listing the existing additional repositories in this world. That can get extended than by everyone.
a very first start, feel free to help :)
Great. This page will be useful too: http://www.susewiki.org/index.php?title=Finding_RPMs It contains a list of YaST and APT repositories for Suse. We could take the YaST ones. -- Víctor Fernández Martínez Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux registrado #312284 en http://counter.li.org.
While on the topic of Yum repositories, will APT repoistories ever work with YaST? Seb Adrian Schroeter wrote:
On Thursday 11 August 2005 10:38, Adrian Schroeter wrote: ....
(YUM repos should also work now). I want to create a Wiki page today listing the existing additional repositories in this world. That can get extended than by everyone.
a very first start, feel free to help :)
http://www.opensuse.org/index.php/YaST_package_repository
bye adrian
participants (15)
-
Adrian Schroeter
-
Andreas Girardet
-
Andreas Jaeger
-
Carlos
-
Christian Boltz
-
Eberhard Moenkeberg
-
Henne Vogelsang
-
houghi
-
Ken Schneider
-
Marcus Meissner
-
Marcus Rueckert
-
Renegade Penguin
-
Seb Payne
-
Sören Wengerowsky
-
Víctor Fernández Martínez