Unable to upgrade packages on FreeBSD

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Jan 31 10:42:21 UTC 2012


On 31/01/2012 09:56, Eduardo Morras wrote:
> Making a resume/summary of the thread; more hardware, time and people
> are needed to maintain a package system up-to-date. I have a free server
> (amd64 freebsd8.2p6), if i built all packages with their standard
> options, that's without make config, Can i upload them to the official
> package ftp? Should i make my own un-official ftp package server to
> allow others download them?
> 
> Perhaps it's not clear, this answer has ironic mode off, joking mode off
> and i want to collaborate making the standard packages.

While your offer is made with the best of intentions, I doubt the
project would feel able take you up on it.  The problem is simply one of
security -- while crowd-sourcing package compilation would be a pretty
sweet technical solution to much of the scaling and resource cost
problems, it offers far too much opportunity for people up-to-no-good to
be able to introduce trojans, spyware and so forth.

Setting up your own package build system and ftp site -- well, there's
nothing preventing you from doing that, but again, it's a trust thing.
Unless people can believe in the provenance of the packages you provide,
it's not going to be sensible for them to download from you.  So it's
only people that know you personally, friends, relations, workmates and
people that know and trust people willing to trust you; they would be
the initial audience for your new package building and distribution
thing.  Even if you had an enormous social circle all of whom happened
to be avid FreeBSD users, I doubt that would actually provide enough
demand to make the whole venture worthwhile.

The best ways to contribute are (a) to make a donation via the FreeBSD
Foundation and (b) take up maintainership on some ports.  As ever in any
project of this type, most of the work goes through smoothly and it's
that minority of problem ports that eat up so much of the time.
Maintained ports have fewer problems.

Some of the more paranoid amongst you may be asking yourselves if, in
the light of what I say above, you really can trust packages from
anywhere other than the official ftp.freebsd.org server.  Locations like
(for example) ftp.uk.freebsd.org (which, although blessed as an official
mirror site, is run by a completely different set of people.)  The
answer is somewhere on the 'probably -- maybe' continuum.   Can you
actually trust the people running the mirror site?  (In the case of
ftp.uk.freebsd.org, as of a day or so ago that's the UK mirror service
run by the University of Kent who are clearly of unimpeachable
reputation.)  Implementing digital signatures on packages would go a
long way to removing that uncertainty.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120131/c6965fce/signature.pgp


More information about the freebsd-questions mailing list