[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Autobuilders, Signing

>>>>> "Itai" == Itai Zukerman <zukerman@math-hat.com> writes:

    Itai> About autobuilders: I see no general way to verify that the
    Itai> autobuilt package is as the maintainer intended it to be,
    Itai> short of an exact binary match (only for architectures the
    Itai> maintainer has access to) and bug reports to the contrary.
    Itai> I mean:

...and only when the autobuilder builds the binary using the same
libraries, etc. as the maintainer. I, for instance still use a mostly
stable system.

    Itai> 1.  Despite Build-Depends, the autobuilder's environment may
    Itai> differ from the maintainer's, and may produce a .deb not ==
    Itai> to the maintainer's.  Is this a bug?

No. It simply means that some maintainers don't want to use unstable.

(this is a good argument for why source-only uploads is a good idea,
assuming it worked, but lets not side track the issue on hand).

    Itai> 2.  If I submit source, and it gets autobuilt, and the
    Itai> result differs from what I get locally, should I suspect a
    Itai> security problem on the autobuilder?

See above.

Could even differ because of a variation in how to compiler optimises
code, etc, too.

Also, even if it is the same on the maintainers architecture, there is
no way to test it for other architectures...

In short: we have to trust the autobuilders, there is no way around
this issue (even when compiling packages manually - how can the person
be sure that the compiler used isn't introducing back doors into the
compiled code?)
Brian May <bam@debian.org>

Reply to: