[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Architecture independent binaries and building from source

Roland Stigge wrote:
> Also consider the hassles we come into when we need to patch upstream
> sources; and reliably and automatically checking if packages build from
> source.

I guess this is a good enough reason not to distribute upstream provided
binaries instead of creating them from the source.

Just assume there's a security bug in the upstream blob.  Also assume
that the package is part of stable release of Debian.  Now assume that
the security team needs to fiddle with the (in that case) broken build
system to get a) the blob built from the provided source and b) pray
to God that it really builds from source and isn't only said to do so.
If building then fails on one architecture for whatever strange reason,
we're doomed.  We're also doomed if building results in a broken blob.

Hence, please don't do that, but compile it from the provided source,



Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.

Reply to: