Re: Trust in the Debian Build Process

["J.H.M. Dassen \(Ray\)" <jdassen@wi.leidenuniv.nl>]

On Mon, Nov 16, 1998 at 13:30:17 -0000, Thomas Roessler wrote:
> Part of this risk can be controlled by having a Debian-internal web
> of trust and digitally-signed binary packages.

Please note that uploads of Debian packages already contain a digital
signature for the binary packages as part of the .changes file.
Unfortunately, this information isn't part of the Debian packages
themselves, so an end user can't verify it, and a malicious mirror could
insert trojan packages.

> One possible solution may look like this:
> 
> Centralize the actual build process.

There are certainly merits to this, and I'd like to see this implemented, if
it's feasible. It would also prevent disasters like the libc compiled with a
broken /usr/local/bin/gcc we're now in the process of recovering from.

I'm not sure if it's feasible yet. I don't know if we have enough power
available in net.connected machines to pull it off. Also, we'd need a way to
give some builds priority (e.g. security fixes).

> The upstream source packages should be automatically fetched from
> well-known archive sites; these archive sites should be documented in the
> package documentation.

In some cases, there is no upstream source anymore (e.g. ae, IIRC), or the
difference between the debianised version and the upstream source are very
large (e.g. strace); we'd need to take this into account.

Ray
-- 
ART  A friend of mine in Tulsa, Okla., when I was about eleven years old. 
I'd be interested to hear from him. There are so many pseudos around taking 
his name in vain. 
- The Hipcrime Vocab by Chad C. Mulligan