Autobuilders, Signing
About autobuilders: I see no general way to verify that the autobuilt
package is as the maintainer intended it to be, short of an exact
binary match (only for architectures the maintainer has access to) and
bug reports to the contrary. I mean:
1. Despite Build-Depends, the autobuilder's environment may differ from
the maintainer's, and may produce a .deb not == to the
maintainer's. Is this a bug?
2. If I submit source, and it gets autobuilt, and the result differs
from what I get locally, should I suspect a security problem on
the autobuilder?
-itai
Reply to: