== Opportunistic and distributed infrastructure to build Debian packages into a web of trust==
Description of the project: Building packages on shared machines increases the risk.Currently Debian provides a single backport package selection and it is mainly driven by security concerns.
Building an opportunistic architecture in which we know what trusted computers are on-line, Debian developers may donate CPU cycles in order to build debian packages in their machines.
Sometimes users may require certain features which are only present in unstable or even in experimental. For example, a developer of the Orca library may require a bleeding edge ZeroC Ice package but there is no need to upgrade the whole system to unstable. Currently users may use apt pinning but this may lead to unexpected upgrades to some critical packages (libc, C++ compiler runtime libraries) and binaries may end up linked to different versions of the same library. Most often developers rebuild from the unstable or experimental source package in a stable pbuilder environment and create custom repositories.
This project aims at streamlining the process to prepare custom backports which are driven by user requirements rather than imposed policies. It may also be used to help Debian package building infrastructure.
- Major milestones of the project are:
- Design or reuse a P2P distributed architecture to donate computing power, issue package build requests, share packages built on a given environment, and monitor the processes. Reuse of existing BOINC style middleware may be difficult due to the need for a more complicated trust model.
- Develop build nodes based on virtual machines rather than chroot environments in order to allow easier availability management in a P2P environment (partial builds may be paused, resumed or even migrated to another compatible node). Besides, a single machine may be running several build nodes for different architectures.
- Design a trust model which may be acceptable to users and/or Debian Developers. It may still be based on GPG keyrings.
Confirmed Mentor: Cleto Martín
How to contact the mentor: email: firstname.lastname@example.org
Deliverables of the project: Distributed and opportunistic system to build tursted Debian packages.
Desirable skills: Knowledge of debian packaging, experience with distributed systems
What the student will learn: You will learn GPG, debian packaging, security, repositories.