Re: Fwd: New binary package set for EL6 x86_64
* On 2014-07-11 at 09:02 BST, Elias Persson wrote: On 2014-07-10 19:53, Yasha Karant wrote: I received the following email message that does not appear to be posted to the SL list. It's on the list: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1407L=scientific-linux-usersT=0P=15184 The weird way it was sent (via another list?) and the fact that the SL lists lack list-id and such probably cause any filter you might have to miss it though. Sorry, my fault. I subscribed to a few different lists which I thought would be interested in this, and then sent one mail which bcc'd them - assuming that the list servers in question would handle the rest. Again, if you have any questions about this package set, I'd be delighted to answer them. I've had a few come in so far, so I'll take the chance to summarise them here: - You can browse the list of packages here: http://pkgsrc.joyent.com/packages/Linux/el6/2014Q2/x86_64/All/ - They aren't in RPM format, but pkgsrc (the system used to build them) does have pluggable backend support, and there was an unfinished GSOC project to implement RPM support a few years back. If someone is interested it would be fantastic to see this finished so we can provide them as RPMs via yum instead. - pkgsrc is branched every 3 months, and from that we generate the binary packages and provide a new package set, so every quarter there is a fresh update of new packages. Cheers, -- Jonathan Perkin - Joyent, Inc. - www.joyent.com
Re: Fwd: New binary package set for EL6 x86_64
* On 2014-07-11 at 16:39 BST, Yasha Karant wrote: I have not found a pkgsrc RPM that would automatically install and configure pkgsrc for an EL system. There is none that I am aware of. Setting up a build environment for pkgsrc is outside of the scope of a single RPM. What is the answer to a fundamental question: how secure and authenticated is the pkgsrc repository (non-RPM, but a repository nonetheless)? As far as the builds go they use the same mechanisms that you quoted - each downloaded distfile is verified for both SHA1 and RMD160 checksums to ensure their integrity. As far as the repository itself, it is secure. The part which is missing which I'd like to address for my other package sets too is that the packages themselves are not currently signed. pkgsrc has infrastructure support for this, but I am missing some bootstrap bits to ensure the packaging tools have the necessary features to support it. In so as possible, I use SL and related repositories because these in practice are reasonably secure and authenticated. I do what I can to avoid using contaminated/compromised sources or executables, and work as root as secure as is practicable. Sure, this is good practise. There is of course an element of trust here, but as a company which relies on community involvement a breach of that trust would be pretty catastrophic, so I will certainly do all I can to ensure it isn't broken. Regards, -- Jonathan Perkin - Joyent, Inc. - www.joyent.com