Let's talk about yum and p2p in Fedora

Marko Vojinovic vvmarko at gmail.com
Sun Dec 26 19:40:11 UTC 2010 

On Sunday 26 December 2010 18:19:22 S Mathias wrote:
> No port forwarding is needed in p2p (no need for open ports [? fixme]):
> http://samy.pl/pwnat/

While I find these ideas of NAT and firewall-piercing quite interesting, there 
is always a "but" somewhere --- in the pwnat case, it is a "but what if the 
ICMP is filtered?" (as it actually is for most NAT'd networks I've seen).

The only permanent solution to usability of p2p in general is IPv6, where all 
addresses will be public and thus accessible from outside. And IPv6 would fix 
other protocols broken by introduction of NAT, not just p2p stuff.

But until then, p2p can never be completely reliable/available to everyone, as 
http is now.

> Common sense: if i need to spread lot's of files no matter small or big, to
> many-many-many-many pc's, then i would give a 10 Mbit line to the master
> server, and the remaining job is done by the people, so that in this way,
> they could contribute to the project.

Not everyone needs every file to update, so this will not scale as well as you 
might imagine. Also, with all the mirrors out there, I don't see much benefit 
in using p2p for updating.
 
> The Fedora installer could contain a question: how would you like to
> receive updates? [if e.g.: GNOME is installed, the updates would be
> "forced*", because it's likely not a server, just a desktop pc]

Forced? Why? I generally do a "yum update" only manually, and even then I 
inspect what is to be installed before I agree to proceed. And I'm a desktop 
user. No, you never want to *force* updates on people, it might break some 3rd 
party software they are maybe using. Think kernel updates and nVidia closed 
source drivers, as the most common example.

> - and the
> answers would be: by http or by p2p (or p2p with encryption)

Whereas only http is the protocol that can be assumed to be available 
everywhere and to everyone. The p2p solutions always rely on other ports being 
open, UDP/ICMP availability, etc.
 
> + if i go to the main website, and click "Get Fedora"
> 
> https://fedoraproject.org/en/get-fedora
> 
> it would need to accentuate the ISO download by torrent, not http, the
> servers would be way more "relieved", and ready for any expected, or
> unexpected loads (ddos, a version of Fedora is out, growing number of
> Fedora users).

Oh, my...

You surely missed an *insanely* big thread on this list, devoted precisely and 
exclusively to the *bitching* about removal of bittorent links from the then-
newly-designed "get fedora" website...

IIRC, Mairin Duffy was nearly crucified for removing the torrent link from the 
page. In a nutshell, the argument was that (according to statistics) only 
every fifth Fedora user actually uses torrent to download the .iso. The 
counterargument was that (again according to statistics) since there are cca 1 
million Fedora users out there, 200 thousand people just got screwed. The 
counter-counterargument was that people who know how to use torrent typically 
know how to use google to find the .torrent of the .iso, so no need for a link. 
The ccc-argument was that anyone with a clue what is an operating system could 
use google to find a Fedora .iso, so no need for a "get Fedora" page in the 
first place, which defeats the purpose... And so on and on, with a lot of 
tangent discussions and even more unrelated bitching about list ettiquette 
etc... Look it up in the archives, if you are interested.

The whole thing was eventually resolved when Mairin gave in (based on some 
sound and friendly advice of other Fedora devs) and created a link for "other 
download methods, including torrents" and updated the website...

My point --- you don't want to open that topic again. ;-)
 
> I'm sure there would be many Fedora or other RPM based distribution users,
> who would happily seed the packages. Broadband connections, HDD's are
> cheap in 2011.

There are mirrors who happily do that right now via http, so I don't see any 
serious benefit.
 
> *by forcing i meant it should install updates without asking, the primary
> security relies on that the packages are up-to-date or not.

No, the primary security relies in the brain of the person using the computer. 

Automatic updates that leave the user out of the loop are known to be a Very 
Bad Idea (tm).

I've seen automatic updates breaking my own and other people's systems more 
often than I want to remember, and the whole thing can get pretty bad 
occasionally. Just think of a new kernel update which breaks the closed nVidia 
drivers (or sometimes open radeon drivers ;-) ), and similar problems that pop 
up every now and then. Really, you *don't* want enforced updates. The user 
*must* be given a choice whether to accept or not accept any individual 
package update, including security updates.

HTH, :-)
Marko

More information about the users mailing list