Install from Binary Archives (was Re: port install efficiency issue)
Darren Weber
dweber at macports.org
Thu Mar 26 15:52:10 PDT 2009
On Thu, Mar 26, 2009 at 3:19 PM, Rainer Müller <raimue at macports.org> wrote:
> Dave Howell wrote:
> > What about this: I do a "ports install widget", ports looks for a
> > binary, doesn't find one that matches (in this case, the default
> > options and current version), so it goes about building it. When it's
> > done, it says "upload compiled binary to binary archives?" I say "Y",
> > and up it goes. Now it's available for the next user who comes along.
>
> Sure, we would just distribute arbitrary binaries to end-users... NOT!
> Ever thought about security? What if I upload some rootkit instead of
> the real software and everyone installs it? No, this will not work.
>
> Rainer
>
I've been running mpab for a few days now, ie:
http://trac.macports.org/wiki/MPAB
This is a chroot approach. Obviously, as it is, anyone could tinker with it
to include a rootkit or whatever. Nevertheless, I wonder if it's possible
to create a binary app of this, which is authenticated during installation
(at least), and we ensure that it must do some handshaking to get hold of
the "official" and "secure" port tree somehow (probably an encrypted
handshake, encrypted file archive for download, etc.) and then it goes about
it's business on a user machine and only does an upload (if any) when there
is some kind of further authentication that the port build is correct
(binary md5 etc. for at least 2-5 builds on the exact same configuration).
Even if it does no uploads, it could create useful information about the
stability or integrity (you name it) of the entire build process. It would
be really neat to have an Xgrid controller (or many) be able to run a job
that can parse out port dependencies and have some kind of parallelism in
the build.
Best, Darren
PS, `man otool` can tell you just about anything you need to know about the
binary file, eg
otool -l /opt/local/bin/gls
otool -L /opt/local/bin/gls
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20090326/0bc716e7/attachment.html>
More information about the macports-users
mailing list