error404
Posts: 351
Joined: Wed Dec 21, 2011 11:49 pm

Re: Fedora Remix or Debian?

Sat Mar 10, 2012 4:32 am

esbeeb said:

This is just idle talk, but perhaps if reliable, easy-to-follow directions, or better yet, a script, were/was assembled and posted (as how to set up Reprepro+rebuildd+sbuild), then it would be easy for volunteers to set up their RPi's to "join the build farm". Perhaps the assembly of such instructions might be a great use of time, while we wait for those first 10,000 units to hit the scene.
Someone could do this, but it's not going to fit in with the Debian project's security goals. There's no way they'd accept random people as builders for an official Debian distribution.

User avatar
mpthompson
Posts: 620
Joined: Fri Feb 03, 2012 7:18 pm
Location: San Carlos, CA
Contact: Website

Re: Fedora Remix or Debian?

Sat Mar 10, 2012 5:09 am

Hmmm.  As the RPi goes into volume production, I wonder if it would make sense to buy at least 10 of the little buggers for about $400 and NFS mount disk volumes from a fast central PC to accomplish builds on actual hardware.  Swap and the root file system could even be NFS mounted to save pounding on the SD cards.  I hear that there are a handful of packages that tax even ARM devices with 1GB of RAM and SATA drives (ie. Firefox), but those packages could be left to a single more capable ARM device with the RPis chewing away on the vast majority of the Debian packages.

In such a cluster, 10 RPis would cost about as much as 2 i.MX53 Quick Start Boards and perhaps get a lot more accomplished if there isn't a severe problem with network latency in such a build cluster.

Chris Tyler
Posts: 70
Joined: Thu Jul 28, 2011 12:16 pm
Contact: Website

Re: Fedora Remix or Debian?

Sat Mar 10, 2012 1:47 pm

If you want to build a full distro package set, you'll probably want a beefier machine than a Raspi for building, and you'll want a lot of them. We have 30 Pandas (dual core 1GHz 1GB), 20 GuruPlugs (single core 1.2GHz 512MB), and some Smarttops and Trimslices, backed by four x86 servers with terabytes of SSD and GigE networking, and the rebuild time for the distro is weeks.

User avatar
esbeeb
Posts: 124
Joined: Sun Feb 05, 2012 12:23 am

Re: Fedora Remix or Debian?

Sun Mar 11, 2012 3:45 pm

error404 said:


Someone could do this, but it's not going to fit in with the Debian project's security goals. There's no way they'd accept random people as builders for an official Debian distribution.


How does this sound for an algorithm for a build-related program that would ensure trustworthiness of built packages (built on random volunteer's machines)?

Let's assume the following is realistic:

An appeal to "give back to Debian" is made on the front page of raspberrypi.org, by donating, or self-hosting a dedicated Raspberry Pi build machine.  Since a Raspberry Pi, a cheap SD card, and an ethernet cable costs about $60 (about half of the price of the cheapest Windows 7 Home Premium license), a few hundred tech-savvy volunteers step forward.  They effectively pledge to set up a dedicated, headless, Debian build machine, allowing remote SSH login (and they already know how to set up port forwarding through their NAT broadband routers).  After all, since most Ubuntu users know that Ubuntu is based on Debian, they know that when they "give back" to Debian, they are also, in turn, giving back to Ubuntu.

Granted the above is realistic, here's what the new trustworthiness-ensuring build-related program would do:
What if there were some kind of a trusted "master builder" machine, which knows all the available volunteer build machines to log into (and ports, in case they're not port 22), perhaps being stored in Debian's build machine database.  Then for a given package to be built, it randomly chooses 2 build machines, not being on the same subnet whatsoever, then initiates build processes on both build machines, and waits for the resulting built packages to be returned.  Once both built packages return, they are compared, by calculating an sha1 checksum on both.  If they match, then the built packages are trusted.  If they don't match, then one of those two build machines is suspicious, to say the least.  One of the two packages is not trustworthy, and perhaps has some added evil hackery.  So the "master builder" machine asks yet a third randomly-chosen build machine to build the package a third time (again, being on an entirely different subnet from the first two machines).  Then the third built package is checksummed as a tie-breaker.  Whichever machine was the "odd man out" gets a "strike" against it, and the suspicious package gets put into a quarantine folder for forensic investigation later, if desired.  After three "strikes" from any build machine, it's de-listed from the possible pool of build machines. 

User avatar
esbeeb
Posts: 124
Joined: Sun Feb 05, 2012 12:23 am

Re: Fedora Remix or Debian?

Sun Mar 11, 2012 5:01 pm

esbeeb said:


Then the third built package is checksummed as a tie-breaker.  Whichever machine was the "odd man out" gets a "strike" against it.

On second thought, that third tie-breaking package should be built on a highly-trustworthy controlled-by-Debian Raspberry Pi build machine, not a random volunteer machine.

After three "strikes" from any build machine, it's de-listed from the possible pool of build machines. 

On second thought, how about just "one strike and they're out", not three.

User avatar
esbeeb
Posts: 124
Joined: Sun Feb 05, 2012 12:23 am

Re: Fedora Remix or Debian?

Sun Mar 11, 2012 5:07 pm

esbeeb said:


Then for a given package to be built, it randomly chooses 2 build machines, not being on the same subnet whatsoever, 

These randomly chosen volunteer build machines would only be chosen if they aren't already busy, having been given another package to build previously (for which they haven't yet returned a built package).  That is to say, the volunteer build machines are only given one package at a time to compile.

And there would need to be a system of "timeouts": if a volunteer machine didn't return a built package within a reasonable amount of time, then a new machine gets asked instead, and the busy machine is not asked again, until it can be verified as ready to work again.

User avatar
esbeeb
Posts: 124
Joined: Sun Feb 05, 2012 12:23 am

Re: Fedora Remix or Debian?

Sun Mar 11, 2012 7:18 pm

esbeeb said:


An appeal to "give back to Debian" is made on the front page of raspberrypi.org, by donating, or self-hosting a dedicated Raspberry Pi build machine.


I"ve been thinking through my idea (to use volunteer"s self-hosted build machines) to make sure there were no possible ways to hack it.  Each time I came up with a possible hack, I thought up a counter-hack.  After several such hack-and-counter-hacks, I realized that my idea was getting way too complex, and furthermore, people might not trust it, no matter how clever it was.  Furthermore, I realized that a "self-hosted" build machine would only be half as valuable (in this proposed scheme), compute-wise, as a "trustworthy" build server controlled by Debian.  So I humbly withdraw this idea.  My apologies.  Next time I"ll try to think things through more, before posting.

Having said that, perhaps there is still merit in the idea of making an appeal to the veteran Debian community to "give back to Debian", and "pay it forward, to a new generation of Debian users on the Raspberry Pi".  Perhaps this plea could be hosted at a whole new dedicated website, or the Debian website itself (if raspberrypi.org won"t announce it themselves, on the front page), and it would just collect monetary donations (through, say, Papal, payable by credit card).  Then Debian (or more specifically, the 4 Debian ARM key contributors) would decide how to spend the pooled funds, and where to host their own huge cluster of Raspberry Pis.

Much simpler!

Return to “General discussion”