Peer to Peer Development

GitTorrent (described on Advogato) is a really distributed version control system, based on Git and BitTorrent. It seems to hold the promise of:

  • Public keys (PGP) are used for authenticating changes
  • No central web site for a project
  • Easy forking of projects
  • Package and OS distributions without a central download location
  • A distributed mechanism for security and feature updates

The significance of all this is that it:

  • levels the playing field for individual developers and small groups
  • routes around censorship more effectively
  • allows end user to choose different views of the repository based on which developers they trust

H/T: Slashdot

I would suggest a further improvement – multiple signatures on sources and on binaries. This would greatly reduce the chance of Trojan binaries being installed on hundreds of thousands of computers next time that Canonical/Debian/RedHat distribution points are subverted by a black hat hacker. Binary signatures would require a repeatable transformation from source to binary – by fully specifying the compile tools and compilation environment and using specified values for timestamps.

Leave a Reply

Name and Email Address are required fields. Your email will not be published or shared with third parties.