im not pushing for p2p.. Just commenting on the fact that the security
model should hold up no matter what method is used for delivery. On
binaries or on source :D.


I feel exactly the same about p2p as you do.
This is a verry real thing in gentoo now, and is no different if the
trojan is in source or binary if you have no way to verify its source.
We have to assume that at some point this will happen, and have a system
that can easuly recover from it.

controll if through the keyring and keyservers. Its up to the user. If
the files are out in the wild with old invalid sigs It will not be
installed ( unless the user wants it that bad ) .. like i stated above
Im not pushing p2p but im Definatly pushing a security model that would
work in the p2p setting.

Remeber that a revocation isn't on a package, but on a key.. So even if
there out there with those bad sigs. It's still not "valid"

Just gonna add my thoughts. I have a feeling that p2p implementation will be
so much extra design, coding, and implementation getting it to work that it
should be put off for now. And I agree there should be an option to disable
the filesharing when p2p source file sharing is implemented. Being on dialup
I suffer whenever I have to upload a file. Normally I end up lagging out,
the file stalls, and all the time was wasted anyway. My internet connection
would be virtually unusable if multiple cable users tried to download X or
KDE from me (even in part). And they'd likely never know, and I wouldn't
have fun trying to figure out why google's front page takes 5 minutes to
load.

I would REALLY like to see binary packages available. Not for every package
in the tree, but the base install (X and a few common WM also) at the least.
Also it would be nice to have different CFLAGS for them. Again, not
everything. i586, Pentium2, and Athlon for x86 would make many people happy.
You can always run `nice -n 19 emerge -e world` in a screen or VC once you're
in X and going about your thing and want "better" CFLAGS and never notice
your box was working. A 6 hour base install on the average speed box is
enough to scare a lot of users away when they find out that's without Xfree.
Basically the run down of how I think things will/should/could look soon:
Stage1 - Build it all yourself.
Stage2 - You have a compiler and a few libraries.
Stage3 - Working Non-X box (sans kernel)
Stage4 - Working X box with your choice of WM available as a seperate binary
to keep the stage tarball size down (also no precompiled kernel)
Stage5 - Quick Install, bloated, bubblie crap that people new to the distro
want to give it a quick try. X, KDE/Gnome, desktop apps a plenty, prebuilt
modularized kernel. Basically whatever the devs can stuff in a 640/700MB
ISO.

Yes, the "stage5" I recommend will be very large and use up much bandwidth,
but most users will likely avoid ever downloading it. Only those that need
it to just get their box up and running quickly to try out Zynot (or whatever
it will be called then) will pick this install method. We could even look at
something like jidgo (which debian uses to make CD-r and DVD-r ISOs) to
create the "stage5" installer CDs on the fly from multiple source servers.
The problem with jidgo is its complicated usage. Ok I'm starting to rant,
so I'll stop on this unless anyone requests more out of me. :)

This is probably getting way off-topic, but the last thing I'd like to
suggest is a GUI installer. If anyone can point me to the right place to
read up and learn how to code widgets I'd like to get involved in a gtk2
installer project that will make people think they're installing something
officially better than RedHat because it's prettier and even easier ;) to
install.

--Will (Sif/SanityInFlux - if you didn't know)