Had A Gnuff?
Yesterday a reader dropped me a link to Gnuffy, which is an offshoot of Arch Linux started about three years ago. Looking over what has been accomplished with it thus far, I was very impressed with their ideas on expanding Arch (many already implemented), and given a few new ideas of my own.
At this point Gnuffy appears to consist of a package manager called Spaceman and some user repositories. Gnuffy can use any of Arch Linux’s repos in addition to its own, and can use the standard PKGBUILDs in addition to its own improved version of PKGBUILD, which includes some Gentoo-style USE flags and other enhancements. Packages on Gnuffy’s repos are GPG signed with the key of the packager, and Spaceman checks signatures. Nice work! It was a bit like suddenly being transported into the future of Arch.
It’s hard to tell the current status of Gnuffy by looking over the modest Wiki. From what I saw, the Wiki hasn’t been updated since 2010, and some of the links are broken, yet others work. I tried their IRC channel – didn’t find any of the devs there but one person on the channel told me the project was still relatively active – “it has always been a small project”. From how things look, maybe they got it to the point where it did what they wanted, so development on it has slowed. It looks like a handful of people built the wiki over the last three years, and Spaceman seems to be a pretty well-developed bash script at 9,000 lines.
Their main wiki page states:
The Gnuffy project declared its aim [in] creating a free, community based linux distribution where everyone who has time and motivation can have a share. This looks like a matter of course for linux distributions but experience shows that, the more the community grows, the more conflicts arise concerning the direction which will be taken in the future – and now; and only a few people get the right to decide something. With Gnuffy we want to build a distribution without (with as little as possible) hierarchic structures.
Gee, why does that scenario sound familiar? It seems these guys must have run into the ‘Brick Arch’. Reading this, I also had a light bulb which has so far been dim, light up. I could never understand Arch dev Allan McRae’s reluctancy to just signing the Arch package database – he really threw all of himself against any attempt to get this implemented. Now the puzzle piece fits – fear of competition. With other pacman variants floating around, I think he knows that if the database is signed, they’ll fly by pacman in terms of features and security. Just a theory, but I’ll bet it’s right. And it would fit in with the Arch lack of care for users – he would rather risk users security than have people abandon HIS project.
Either way, this also got me thinking how Arch is an unusual distro. It’s not like it has a customized DM or much that glues it together. Mostly it is a package manager (and build system) and a few repos. The packages in Arch are little less than tarballs of files to be copied. Creating a spin-off of Arch is a matter of creating a package manager, which is exactly what Gnuffy has done. So it makes sense that the core Arch team might be a little insecure about this state of affairs, but it’s fair play in Linux. This also might explain why their forums are in a such a panic over any dissent – the forum is one of the only real influences they have on the user community, since the software is mostly vanilla and made by other developers outside Arch.
What is hard to duplicate in Arch is of course the great work the dev team puts into making the PKGBUILDs (which build the binary packages). Being rolling release, they have to wrestle with multiple library versions, etc. to keep it all running together smoothly – no small task. Arch isn’t just somewhat high maintenance from the users perspective, but for the devs as well (is this a drawback in terms of its viability long-term?) So duplicating Arch is hard. But extending on it, if you use their core repos, is very feasible. In a sense Arch’s AUR does this as well. The proof of this is that you don’t even need to install Gnuffy separately – they have a script called Arch2Gnuffy that converts your Arch system to a Gnuffy system!
Gnuffy has other smart ideas. A bash package manager is very open – you can fix and modify it easily for your own purposes. Including GPG signatures in the repos is also ahead of mainstream Arch. The fact that Gnuffy depends on Arch’s repos is still a security weak point, as the Arch packages are not signed.
I noticed that Spaceman includes an up-to-date (as of today) package list which contains ALL Arch package names (from core repos, Gnuffy, AUR, etc), md5sums, and dependencies. It wouldn’t be a huge step for them to include sha256sums, then sign the database. Assuming they calculated the sums from a statistically verified mirror (using paccheck or similar), this would give their users a way to verify the authenicity of even Arch’s packages. They’re already about one step away from having a much more secure Arch distro than Arch mainstream.
Anyway, my introduction to Gnuffy has opened up many ideas for how Arch can be extended, using mainstream Arch in a way similar to the way Ubuntu uses Debian – as a starting point, but with much less to change. I’m definitely going to look more into Gnuffy, and hopefully get in touch with the maintainers. This has also piqued my interest in what the other Arch-derived distros are up to.
You can check out the Gnuffy Wiki and their IRC channel is #gnuffy on Freenode. If anyone tries or has already tried Gnuffy, I’d love to hear your thoughts on it.