Re: FTBFS: architecture all packages
Brian Nelson <pyro@debian.org> writes:
> Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> writes:
>
> > Brian May <bam@debian.org> writes:
> >
> >> Hello,
> >>
> >> Is it still a requirement that packages must be able to build
> >> from source, even though they do not need to get built from source?
> >
> > GPL (is this GPL?) basically says you have to ship the source that was
> > used to build the package. But if the source doesn't build how can
> > that be the right source?
>
> If the build environment has changed, that can render the package
> unbuildable even if the source hasn't change.
Which I consider a bug. Since the buildd's build environment versions
aren't included in the package such later breakage isn't realy
visible. So on the side of caution better fix those source.
> > Makes things realy suspicious. WHat if he planted a worm in the
> > package? Or accidentally shipped the wrong source?
>
> Huh?
Security of open source relies heavily on reviewing the source over
and over again. But if the source doesn't fit the binary (as it might
be indicated by a build failure) who is to say whats in those
binaries?
I know of cause that even if the source builds thats no proof that
source and binary match.
MfG
Goswin
Reply to: