Had A Gnuff?
Yesterday a reader dropped me a link to Gnuffy, which is an offshoot of Arch Linux started about three years ago. Looking over what has been accomplished with it thus far, I was very impressed with their ideas on expanding Arch (many already implemented), and given a few new ideas of my own.
At this point Gnuffy appears to consist of a package manager called Spaceman and some user repositories. Gnuffy can use any of Arch Linux’s repos in addition to its own, and can use the standard PKGBUILDs in addition to its own improved version of PKGBUILD, which includes some Gentoo-style USE flags and other enhancements. Packages on Gnuffy’s repos are GPG signed with the key of the packager, and Spaceman checks signatures. Nice work! It was a bit like suddenly being transported into the future of Arch.
It’s hard to tell the current status of Gnuffy by looking over the modest Wiki. From what I saw, the Wiki hasn’t been updated since 2010, and some of the links are broken, yet others work. I tried their IRC channel – didn’t find any of the devs there but one person on the channel told me the project was still relatively active – “it has always been a small project”. From how things look, maybe they got it to the point where it did what they wanted, so development on it has slowed. It looks like a handful of people built the wiki over the last three years, and Spaceman seems to be a pretty well-developed bash script at 9,000 lines.
Their main wiki page states:
The Gnuffy project declared its aim [in] creating a free, community based linux distribution where everyone who has time and motivation can have a share. This looks like a matter of course for linux distributions but experience shows that, the more the community grows, the more conflicts arise concerning the direction which will be taken in the future – and now; and only a few people get the right to decide something. With Gnuffy we want to build a distribution without (with as little as possible) hierarchic structures.
Gee, why does that scenario sound familiar? It seems these guys must have run into the ‘Brick Arch’. Reading this, I also had a light bulb which has so far been dim, light up. I could never understand Arch dev Allan McRae’s reluctancy to just signing the Arch package database – he really threw all of himself against any attempt to get this implemented. Now the puzzle piece fits – fear of competition. With other pacman variants floating around, I think he knows that if the database is signed, they’ll fly by pacman in terms of features and security. Just a theory, but I’ll bet it’s right. And it would fit in with the Arch lack of care for users – he would rather risk users security than have people abandon HIS project.
Either way, this also got me thinking how Arch is an unusual distro. It’s not like it has a customized DM or much that glues it together. Mostly it is a package manager (and build system) and a few repos. The packages in Arch are little less than tarballs of files to be copied. Creating a spin-off of Arch is a matter of creating a package manager, which is exactly what Gnuffy has done. So it makes sense that the core Arch team might be a little insecure about this state of affairs, but it’s fair play in Linux. This also might explain why their forums are in a such a panic over any dissent – the forum is one of the only real influences they have on the user community, since the software is mostly vanilla and made by other developers outside Arch.
What is hard to duplicate in Arch is of course the great work the dev team puts into making the PKGBUILDs (which build the binary packages). Being rolling release, they have to wrestle with multiple library versions, etc. to keep it all running together smoothly – no small task. Arch isn’t just somewhat high maintenance from the users perspective, but for the devs as well (is this a drawback in terms of its viability long-term?) So duplicating Arch is hard. But extending on it, if you use their core repos, is very feasible. In a sense Arch’s AUR does this as well. The proof of this is that you don’t even need to install Gnuffy separately – they have a script called Arch2Gnuffy that converts your Arch system to a Gnuffy system!
Gnuffy has other smart ideas. A bash package manager is very open – you can fix and modify it easily for your own purposes. Including GPG signatures in the repos is also ahead of mainstream Arch. The fact that Gnuffy depends on Arch’s repos is still a security weak point, as the Arch packages are not signed.
I noticed that Spaceman includes an up-to-date (as of today) package list which contains ALL Arch package names (from core repos, Gnuffy, AUR, etc), md5sums, and dependencies. It wouldn’t be a huge step for them to include sha256sums, then sign the database. Assuming they calculated the sums from a statistically verified mirror (using paccheck or similar), this would give their users a way to verify the authenicity of even Arch’s packages. They’re already about one step away from having a much more secure Arch distro than Arch mainstream.
Anyway, my introduction to Gnuffy has opened up many ideas for how Arch can be extended, using mainstream Arch in a way similar to the way Ubuntu uses Debian – as a starting point, but with much less to change. I’m definitely going to look more into Gnuffy, and hopefully get in touch with the maintainers. This has also piqued my interest in what the other Arch-derived distros are up to.
You can check out the Gnuffy Wiki and their IRC channel is #gnuffy on Freenode. If anyone tries or has already tried Gnuffy, I’d love to hear your thoughts on it.
In case you’re just tuning in, some of this, particularly the package signing, is related to Arch’s Dirty Little Not-So-Secret and The Forbidden Subject.
10 Comments
Sorry, the comment form is closed at this time.
IgnorantGuru's Blog 
“fear of competition”
Do you honestly think Gnuffy is competition to Arch?
“everyone who has time and motivation can have a share”
Thats a familiar scenario as well. What is your share? Ranting?
You might want to know that you come across as petty and obsessed.
The two posters above me “might want to know” that they come across as naive and oblivious to the severity of the gaping security flaw that has plagued Arch for years. ;-)
What? Signing the Arch package database would be competition for Arch? How does that make sense?
It doesn’t, it’s irrational – that’s the point. At least that’s the most plausible explanation I’ve found for their motivations (and believe me, people are irrational, especially when it comes to their politics and such – if you think Linux development is all logic and no emotional irrationality, guess again!) Other Arch-based package managers were in fact brought up several times in discussion, but I didn’t make the connection. But knowing their motivations doesn’t change much either way – it was just an ‘ah ha’ breakthrough moment for me, after weeks of discussing this with them and finding their behavior inexplicable. Ego I can believe. The puzzle piece fit.
I’m still on Gnuffy and everything’s working grand. Just getting used to how it does a few things, like the different option syntax for spaceman and how spaceman treats conflicting files.
While pacman would either yell that it can’t upgrade because a file that doesn’t belong to any package conflicts with the package it’s about to install, spaceman instead asks which files you want to not change ownership to the package you’re going to install.
Since I somewhat didn’t pay attention on the upgrade of some Arch packages, I didn’t catch a glimpse of how it upgraded those. However, I did manage to see spaceman upgrading itself, which is when it offered me to see if there’s files I want to preserve. Since it was an upgrade, I chose to let it overwrite what files it needed.
While I do find it a bit weird that it doesn’t offer to remove the package that’s about to be overwritten before asking which files to overwrite, there’s merits to how each of these handle the conflicts. I’ll probably hack the package removal offering some next month.
A big plus for me is how easy it is to set up a repo and how it’ll allow you to sign packages you forgot to sign before it gets published (which is very convenient if you decide not to let spaceman auto-correct the dependencies you placed on the PKGBUILD).
Thanks for the summary – sounds great. How cool is a package manager in bash, so you can customize it so easily?! If I keep using Arch, I will probably migrate to Gnuffy.
Weird, those stalking Arch fanboys.
Very interesting this info, about Gnuffy, thanks,never heard of them before. Please keep us further informed about your explorations.
First experiences with gnuffy’s infrastructure:
* no mailinglist
* link to bugtracker is brocken
hmmm
Yeah, it appeared to me this is a small project which has slowed down the last few years, probably because they got Spaceman to do what they wanted. From what I understand it’s still somewhat active though, so you might catch up with the devs on #gnuffy (Freenode IRC). I haven’t had a chance to look into it further, but I liked what I saw in Spaceman’s approach.