Re: Results of the meeting in Helsinki about the Vancouver proposal
On Mon, Aug 22, 2005 at 12:52:06PM +0200, Sven Luther wrote:
> On Mon, Aug 22, 2005 at 11:51:55AM +0200, Aurelien Jarno wrote:
> > Sven Luther a écrit :
> > >All packages should be built by official debian buildds anyway, not on
> > >developper machines with random cruft and unsecure packages installed, or
> > >even
> > >possibly experimental or home-modified stuff.
> >
> > What about packages built on developer machines, but using the same
> > software as on the official debian buildds? I mean using sbuild in a
> > dedicated chroot. I sometimes do that for my packages when buildd are
> > lagging or when a package fails to build because of missing dependencies.
>
> Should be ok, but the security level would still be higher using only official
> buildds and centraly controled.
Really? The maintainer can still embed "rm -rf /" in the postinst either
way. We need to be able to trust developers.
Similarly, sponsored packages should be rebuilt because the project
hasn't decided to official trust those contributors.
Hamish
--
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>
Reply to: