[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Autobuilders, Signing

About autobuilders: I see no general way to verify that the autobuilt
package is as the maintainer intended it to be, short of an exact
binary match (only for architectures the maintainer has access to) and
bug reports to the contrary.  I mean:

1.  Despite Build-Depends, the autobuilder's environment may differ from
    the maintainer's, and may produce a .deb not == to the
    maintainer's.  Is this a bug?

2.  If I submit source, and it gets autobuilt, and the result differs
    from what I get locally, should I suspect a security problem on
    the autobuilder?


Reply to: