Re: buildd hosts
On Thu, Apr 26, 2001 at 11:15:50AM -0700, Mike Fedyk wrote:
> On Thu, Apr 26, 2001 at 11:52:34AM -0500, Michael Shuey wrote:
> > I believe Mike isn't asking how I'd verify access for Debian developers on
> > my machine; he's asking how you Debian developers can prove that I haven't
> > modified my Mac to insert untrusted binaries into the distribution. Keep
> > in mind I'm not a Debian developer, so my PGP keys aren't on the official
> > keyring. I'm just some guy with a spare Mac. :-)
> Yes, that's it exactly...
These days most packages are built in a chroot. You don't know what a chroot
is? How do you want to put untrusted binaries in it ;-)
Basically, the buildd maintainer on that machine installs another system
from scratch which runs inside your running linux by downloading packages
from the debian servers or by unpacking a prepared chroot onto your machine.
We trust Michael when he built that chroot.tgz (as Michael trusts me when
Roman and James wrote buildd and sbuild). And maybe you trust me when I
built the last base.tgz...
I think it'd be rather hard for you to get untrusted binaries into the
building system, not impossible, but a complete waste of time (who would be
hit by untrusted binaries after all? Only the buildd machines, or does any
serious business run on m68ks?). I think if somebody wanted to play jokes on
us, he'd pick any arch but m68k... (this is not an invitation!).