Please create an account to participate in the Slashdot moderation system


Forgot your password?

Public Software Fund's First Project 145

Russ Nelson writes "The Public Software Fund's first project has been funded for two months worth of development. Tom Jennings (of Fidonet fame) will be writing software to do peer-to-peer file sharing of free software RPM packages, improving the existing free software packages up2date, /current/, and BitTorrent. This will keep new distro releases from being slashdotted."
This discussion has been archived. No new comments can be posted.

Public Software Fund's First Project

Comments Filter:
  • Finally... (Score:2, Insightful)

    by URoRRuRRR ( 57117 )
    The perfect chance for P2P to redeem itself from being label as illegal activity only. Unfortunately, it won't appeal to 90% of users, so it won't. The idea is still nice.
  • Story I submitted that got rejected follows. Yeah, it's off-topic. Bite me.

    The New York Times [] tells us (after we register for free) that Gnutella developer Gene Kan has committed suicide. [] Let's see, he was young (25) and just over a year ago saw the company he started bought by Sun Microsystems []. It would be wrong to jump to conclusions here. It would also be wrong to not start asking questions.
  • by buzzbomb ( 46085 ) on Thursday July 11, 2002 @01:46AM (#3862631)
    If I'm not mistaken, N'Sync has a little-known song named "apache.tgz". Also, Brititany has done "kernel-2.4.19.tgz".

    Oh, was a nice idea while it lasted.

  • flash crowd? (Score:5, Interesting)

    by ceejayoz ( 567949 ) <> on Thursday July 11, 2002 @01:51AM (#3862649) Homepage Journal
    The "slashdotted" link has an interesting link about another name for the /. effect... the "flash crowd"

    Larry Niven's 1973 SF short story "Flash Crowd" predicted that one consequence of cheap teleportation would be huge crowds materializing almost instantly at the sites of interesting news stories. Twenty years later the term passed into common use on the Internet to describe exponential spikes in website or server usage when one passes a certain threshold of popular interest (what this does to the server may also be called slashdot effect).
  • If the RIAA/MPAA hears about this, we're doomed. Not only will they accuse people of "stealing" copyleft material. It's free, as in beer, you can't steal it. This is what P2P was meant for. Let's hope that this takes off.
  • Redhat (Score:4, Interesting)

    by Snoopy77 ( 229731 ) on Thursday July 11, 2002 @01:55AM (#3862671) Homepage
    Before everyone starts screeming, "Why only development for Redhat!" you may note that John Gilmore (evidently a Redhat guy) donated the money for this project. I don't know why Redhat didn't just hire the guy.
    • I don't know why Redhat didn't just hire the guy.

      My best guess is Public Relations: free Slashdotting and an even open-friendlier image. Red Hat wouldn't get to show off quite as much if they just put another employee behind their doors.

    • As far as I can tell, there's nothing Red Hat specific about the project. Linux clients not already using up2date can, as far as I see it, still install up2date and use Current servers to provide their packages rather than Red hat network.

      Linux clients who can't install RPM packages (there aren't many) aren't compliant with the Linux Standard Base.
    • Well, I suppose they could be sharing debs as well as RPMs. But if the whole point is to avoid instant slashdotting of new releases, there's not much point... it couldn't really be argued that debian collapses when a new release comes out, for the simple reason it's not there for a couple of months.

      I love debian.
    • He founded Cygnus, which was the leading
      free software developer until they were
      bought by RedHat for $600 million. I doubt
      Gilmore needs a job now.
      • He didn't need a job before considering the fact that he was the fifth employee of Sun Microsystems. He made a killing from the stock he had and used that to start up a lot of different things including Cygnus.
  • This sucks (Score:2, Troll)

    by aminorex ( 141494 )
    Why don't they fund the original authors and
    contributors to provide the desired enhancements
    instead of locking them out? Sure. Screw the
    innovators and featherbed your pals. This is just
    corrupt, and there's no way any of my companies will
    be contributing to that fund. Cronyism pretending
    to be public service. Pffft.

    • Could you elaboriate? I'm fairly interested in this, but no links to what you mention.

      • Re:This sucks (Score:1, Informative)

        by Anonymous Coward
        Bram Cohen is the (broke) author of BitTorrent, but instead of hiring him to do this project, they hired somebody else.
    • Original authors??

      Last time I checked - RPM stands for "Red hat Package Management" - so should John Gilmore (from Red Hat) pay Red Hat? ;)
      • Last time I checked - RPM stands for "Red hat Package Management"

        Actually, RPM stands for RPM Package Manager. I forgot where I first saw this referenced, but here [] is a google cache of a mailing about the name.

    • Re:This sucks (Score:3, Informative)

      by vidarh ( 309115 )
      Have you even read their pages? The donor gets to decide who will do the work. This is just a way for private individuals to hire someone to do open source development work and be able to deduct it from their taxes.

      If you want the original authors to make money, donate money and specify who you want to do the work.

      • So it's a tax cheat? A way to avoid paying
        payroll taxes to your employees by funnelling the
        funds through a non-profit?
        • No. You would not be able to use this for employees. You could use it for contractors though, but as they point out a business wouldn't save anything doing that as they are taxed on profit, and paying a contractor will reduce your profit, reducing your tax bill regardless.

          The purpose is to let individuals enjoy the same kind of tax benefit. Employees are taxed on earnings, not on profit, so if you hire someone to work on open source for you directly it won't affect your tax bill. But if you donate the money to a non-profit that hires the person for you, you can reduce your tax bill.

          Considering that this is all within the law, and that it is up to IRS whether or not to accept the validity of what they are doing for the purpose of tax excempt status, calling it a "tax cheat" is certainly not fitting.

          This is exactly the same way you can indirectly hire a pastor through a church by donating money, and reduce your tax bill by doing so.

          It's all explained on their pages, linked to from the article - why not read them?

  • Tom Jennings (Score:5, Informative)

    by Pathwalker ( 103 ) <> on Thursday July 11, 2002 @02:09AM (#3862714) Homepage Journal
    He has done a lot more than FidoNet [] - take a look at some of the artwork [] he's done recently. ( I suggest taking a look at the Story Teller [] - very very cool []...)

    He also has lots of info on Nixie tubes [] and builds some cool looking clocks [] with them (to tie into the earlier /. articles on nixie clocks from a few months back []).
    • don't forget TLG - he helped break the back of the original closed internet run by the big boys by helping make it possible for people to resell packets which lead to the mom&pop isp and lots of little customers rather than a few big ones which had been the 'net biz model up untill then.
      And of course one mustn't forget the WPS toilet-cam maybe one of the first web-trolls
  • You can help! (Score:4, Interesting)

    by PureFiction ( 10256 ) on Thursday July 11, 2002 @02:12AM (#3862722)
    We are currently running a BitTorrent load test at: []

    If you would like to help out an open source content distribution network we would greatly appreciate it!
    • by Anonymous Coward
      I like the idea about the porn downloads. To tell the truth, I was going to file the page in the back of my brain until I saw that. :)

      We are *so* gullible. :) It's kind of cruel to post free porn on Slashdot, especially when it is available via a system that provides fast downloads to everybody. So you can't say "Oh, well I bet it'll be Slashdotted."

      Interesting marketing tactic, too! ++ for that. :)
    • Free Porn (Score:3, Informative)

      by SeanTobin ( 138474 )
      OMG. It really is porn. I figured it'd be a huge advertizement for them or something. Thumbs (yes, thumbs) up to BitTorrent for actually putting some truth in advertizing.
    • Hahah. What a great idea.

      "Hmmm, how can we can get at least 100 people to download a file at once?" "I know, lets offer them free porn!"

      Seems to have worked, since I'm getting a whopping 1.5k/b a second....
    • Cool stuff. I got 500-1000kbytes/sec download rate and 150-200kbytes/sec upload.
    • I peaked at 620K BYTES per sec on my cable modem!
      Nearly 5 megbits per sec! Yahoo!

      This program ROCKS!
      And thank you Cablevision! :)

      After it completes downloading it leaves up the window with a "finnish" button and keeps uploading to other people. Just leave it up while you watch the movie and you improve other people's download speeds :)

  • I love open-source...
    sed 's/\.rpm/\.mp3/g' *.c
  • What does the packaging format have to do with p2p ?

    The required metadata fields to uniquely identify a package (i.e. package name and version) are similar in all packaging schemes.

    The only significant bit that would be distribution dependent would be dependeny handling.
    • I would think that if you dont want to get some modified trojan package, that there would be some authentication or 1 way hash matching... it would have to be integrated into the package itself... i would think
      • No, each package (of any type) has a md5sum which is authenticated against the md5sum provided by a gpg signed list of package-md5sums's
  • From PubSoft's funding page:

    "Our funding comes from the public. From people like you, who would like to see more and better freely available software.

    We have received our first donation, of $35,000, from John Gilmore. Will you be next? He is funding Tom Jennings to work on peer-to-peer sharing of free software RPMs."

    I don't know about the typical public software user, but I don't have $35K to spend. On the other hand, I don't need any software that I don't already have. The $35K donation does not come from a typical user and I would hardly call the project typical. Anyway, it will be fun to see if PubSoft's idea catches on.

    • Who said it had to be large sums of money?

      All Pubsoft is offering is to handle some issues and concernes that come
      up in regards to dealing with donations to sponsor OSI compliant work. Like
      how do you know the developer does the work they are paid for...etc..

      The follow is such a situation where the "how" to make this happen hasn't
      been figured out (should the developer be offered the 550 Euro).

      But here is the solution with PubSoft!!

      BTW: this is NOT me though I have offered some. AROS is an Open Source Amiga Clone
      project that is almost at the 80% done mark. But it's intended to be better than
      AmigaOS, and portable. See AROS @ Sourceforge []

      I have two months of free time this summer, which I would love to spend
      on coding for AROS or AWeb Open Source. The problem is that I have to pay
      my bills, and therefore I would need to get some temporary job. This of
      course means there would be very little time to code on those projects... :-/

      The solution to this would be if someone (or some group of people) were
      willing to sponsor me for coding on AROS or AWeb one month or two. I don't
      ask for much money, just enough to pay my bills and to buy food. For that
      I would code 60 hours / week, that is more than fulltime. In total, this
      would mean around 240 hours of work going into AROS or AWeb in a month,
      to improve any part you (the sponsor) wants me to.

      You can find more information at:
      AROS or AWeb Sponsoring []
      • Easy Money (Score:2, Informative)

        Assuming you have had a job for some of this year - You probably have all the funding you need waiting for you at the IRS.

        If you create a "work of art", have it appraised by an expert, print it on paper, and donate it to a non-profit organization. That org can issue you a tax deduction.

        Tax Deductions are worth n+n^2 face value where n is your income tax rate. Say you were at the 50% rate - the Tax Deduction you receive for your artistic contribution to AmigaOS would be 75% of the Appraised Value. I doubt many programmers get 75% of the selling price of their software - so it's really a generous deal.

        See IRS Document 561 [] for official details on donating "Works of Art".

        Its true the document doesn't break down "Works of Art" into Books, vs Photographs, vs Original Van Gough vs, Compiled works of highly mathmatical precision, but Art is a big tent, and Software is as like art as anything else.

        IANAL/CPA But what an easy place to find the money you need to complete that OS! And We the People will both benefit and pay.


    • Re:On funding (Score:3, Informative)

      by Russ Nelson ( 33911 )
      If you donate $10 to this project, all of it goes to paying Tom to work that much longer on it. Even $10 will help.
  • lookie here. []

    now... if you just bounced onto that company online -- what goes on in your mind?
    1) public fund open source software company
    2) beer related software company
    3) beer

    my reaction was somewhere between 2 and 3 above, leaning strongly toward 3...

  • I do work for a company that donates significant (and published) portions of its sales (mostly Open Source compatible computer hardware) to Open Source projects and organizations of the user's choosings.
    For more information, check Open Soars []
  • by Anonymous Coward
    I think this program is a really great concept... I eagerly downloaded the client and started the download of the test file, when I was quickly reminded of what ruins every P2P program I've tried. As soon as people start downloading from me, my incoming connection grinds to a halt. It literally just took me 5 minutes to get back to this page in order to write my reply. Once all of my upstream bandwidth is used, my download speed drops to almost nothing, leaving me with virtually no connection the entire time I'm trying to download whatever it is I'm getting, which takes even longer because my connection is so slow. Isn't there any way to make P2P software play nice with the connection and only use the unused outgoing bandwidth?

    Posting as AC because I'm too lazy to login...
    • As soon as people start downloading from me, my incoming connection grinds to a halt.

      This is a good point, especially with highly asymmetric systems like cable connections (asymmetry can be as high as 1:40 on these beauties). Some of the uplink capacity is needed for TCP protocol acknowledgement packets. If the uplink becomes congested, the downlink clogs down as well.

      Isn't there any way to make P2P software play nice with the connection and only use the unused outgoing bandwidth?

      It's possible but it requires support from the OS. A quality-of-service implementation like DiffServ can help solve the problem. Packets belonging the P2P traffic could be assigned to the lowest service class so that precendence is always given to other traffic.
    • Erm... I don't know about you but when I'm running ed2k and tell it that it's max upload limit is 19kbyte/sec then it's upload limit is 19kbyte/sec and nothing more. Granted, it will somethimes peak over the given limit a little, so I just substract another kbyte/sec to get the 'reserved upload capacity' that I need for browsing et al...
    • Run linux and shape your traffic so that an upload can't eat _ALL_ of your outgoing bandwidth.

      See wondershaper [] for a semi user friendly script and the Linux Advanced Routing & Shaping HOWTO [] for docs if you want to tweak it.

  • by Anonymous Coward
    Using the standard client-server system for file transfers, only the server (ie those producing cheap software) and the client (ie those consuming cheap software) suffer from poor transfer speeds when a popular file is released. Using a peer-to-peer system, everyone suffers, (since the system is distributed amongst every peer) including those who could not care less about the hot new apache patch. I don't feel it is fair for the rest of us to suffer to support linuz dorks.
  • What's the point? (Score:4, Informative)

    by chris_sawtell ( 10326 ) on Thursday July 11, 2002 @05:53AM (#3863164) Journal
    BitTorrent works absolutely perfectly.
    Somebody has more money than sense. Just reward the BitTorrent author, if you want to splash money around.
  • It's nice and all to have a P2P RPM network, but the money would have been better spent improving RPM's.

    RPM's need to be made far more granuler this would sort out all thoes evil dep problems which in my experiance are.
    RPM X requires RPM's A B C D E .... P to be installed where RPM's D-P are obscure features that no-one ever uses.

    No if all RPM's were in nice sized chunks you would only have to install the chunk you wanted/required. This would keep the install base down, and force packagers/programmers to do things in a nice modula way.

    Also... Why can't I use source RPM's that optionally compile themselfs after install...

    Why don't RPM's seem to be signed!!!

    RPM's should have "where can i get updates / security patches etc.. from" properties.

    Now if they sotred that out then maybe you wouldn't need each distro to build there RPM's and each RPM to be so huge an bloaty (especially when you take deps into account!!)

    • I agree, without signed packages and verification this could turn into quite a security breach.

      Installing unknown binaries from a random source is BAD
  • I had my first kernel panic in a production server last week. The system ran fine for nearly a year, within a week of running up2date, and having it automatically building a new kernel, I got a kernel panic in the middle of the night.

    So far no problems with packages, just build your kernel yourself!

  • Distributing software via p2p-network is.. umh.. dangerous. Without crc/md5-sum/hash/whatewer authentication user can not be sure what he/she has been downloaded. And installing that kind of binary, no way Jose. And even with hashs user must verify the binary. How many of us (and what about the rest of the world) have strenght enough to verify every binary? Well great way for distributing troijans and viruses.
    • exactly what I was thinking... great point. if i had mod points i would have given you one.

    • Not necessarily.

      Let's say that your ".torrent" control file (which you download through traditional means) contains a md5sum for the entire file -- and perhaps another for the list of block sums (or that could be in the file directly). Your downloads are thus checked, and no network corruption can occur.

      I'll bet dollars to doughnuts that BitTorrent does some form of verification not entirely unlike what I mention here.
      • Yes yes, but one must download ".torrent" file before hand. That is not big problem for me, but I know many ppls who directly opens every email attach, without virus scanning it first. I newer ever do that. So how many check that ".torrent" before installing binary. Those binaries can not carry ".torrent"-file or url or location to, because it can be manufactured allso. Maybe if user first download binary files indexnumber or some identification (generated randomly by distributor) and ".torrent", then search binary by its identification number.
        • Putting safeguards in the .torrent file is entirely effective as far as one understands its goal -- which is to say, making downloads as secure as they would be via a traditional (non-P2P) download of the whole file. Presuming presence of the abovementioned safeguards, Corruptability of the .torrent file in a BitTorrent-based distribution system is effectively equivalent to corruption of the entire download in another system -- they have the same risks, same difficulty levels, &c. If downloading the file via traditional HTTP is considered an acceptable risk, so must be a similar BitTorrent-based download.

          That is to say: If people don't check where they get the .torrent file that downloads their installer from, they wouldn't check where they get their installer from otherwise; the risks are equivalent.
  • What about the mnet project? [] Although in an early phase it should be quite useful for things like this.
    Files are split up into pieces and published over a lot of hosts, and when you download something you query the nodes closest to you. Should they not have the file but notice that a particular block is in high demand they contact other nodes and get that block so that data that's in high demand is moved to where the demand is.

    It looks quite interesting. There is a win32 package availible for download that's functional but not good, and it's quite simple to get it from the cvs and compile it for your favorite platform.
    I think there is a new release in the near future.


  • I had the same idea some time ago.
    I had actuly started to look closely
    on a open source napster like server,
    so I could change it to exchange RPM's.

    But then i swhiched to debian and
    concluded that the was no need for
    such a system.

    Debian rocks.

  • up2date (Score:3, Interesting)

    by OpenMind(tm) ( 129095 ) on Thursday July 11, 2002 @09:05AM (#3863636)
    I may be wrong, but it seems to me that up2date in its current form is hopelessly married to Red Hat's services, and not a generally applicable piece of software. If I am correct about this, I can hardly see it as a free software victory when development money is going to improve such a limited and vendor specific program. The most obvious effect of this development would be to take the demand off of RedHat's servers, and put it on those of its users. A shrewd technique, but not exactly a public service. BitTorrent development from this project might well be a great help to the community, however.
    • That's what current does - it allows you to seperate up2date from Red Hat itself. Nobodies done it that I know of, but I don't know why Suse or Mandrake distros wouldn't work with up2date/current.

      If you do get it working with one of the other distro's, let me know - I'm the original author of current.
  • Which methods are there to allow such a network to deal with the possibility of an attacker who makes compromised RPMs available? P2P package sharing seems to be a brilliant idea (and a very good use for P2P), yet I'm not quite sure how that security problem could be dealt with. One possibility could be to have the system compare MD5 checksums of P2P-downloaded packages with the official ones -- but that has the problems that the user also needs to get a MD5 checksum of the official package, and that it's likely that the packages distributed on a P2P package network wouldn't all have official counterparts (homegrown packages, etc.).

    Note: I'm not very familiar with how RPM packaging works in the first place, as I have mainly used dpkg and various source package managers. (swpkg, depot, graft, etc.)

  • This is how it is supposed to happen. Independent concerns helping fund Open Source projects they are interested in. Simple, plain, nothing more to say.
  • by Orasis ( 23315 ) on Thursday July 11, 2002 @11:45AM (#3864565)
    Another complementary project in progress is the Open Content Network []

    The OCN provides an important piece of the puzzle with its metadata proxy servers. These servers automatically generate the verification information (SHA-1 hashes) necessary to perform secure P2P downloads.

    It would be nice if this project leveraged the significant amount of work going into the OCN to provide a standard way to securely delivery any open source content across peer-to-peer networks.

    Check out the OCN specifications here. []
  • peer-to-peer is a lovely idea, but without authentication it quickly becomes a cesspool.

    every up2date client has a certificate to authenticate the connection (to redhat) and a GPG public key to verify each package; you can reasonably assume the packages are what they claim to be.

    gnutella (et al) vs. up2date: which do you trust to find (RedHat) kernel updates?

    bittorrent minimizes the 'slashdot effect', and it's our intent to build it in.

    combined, this hopefully makes distribution of RPMs pretty nice, and a good starting point for a more general file distribution system.

    one step at a time, no pushing please.


    PS: no thing solves all problems.

"I will make no bargains with terrorist hardware." -- Peter da Silva