[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Architecture independent binaries and building from source


Shaun Jackman wrote:
> This allows both redistribution of a pristine upstream binary as well
> as potential modification by the security team.

What worries me here is the wording: "pristine". The other extreme would
be "proprietary" which is also valid. Maybe we are talking about the
difference between "Open Source/Free Software" and "Shared Source".

Your reasoning was about checksumming binaries for comparison with
upstream. Why would someone do this with Debian provided software? If a
user doesn't trust Debian, she simply can't use it. The rest of a Debian
install could do all kinds of evil things, even if the user checked one
upstream binary.

In addition to what has been said, it is common for many people to use
non-free build environments. Not only upstream, but also Debian
maintainers who are surprised when I file FTBFS reports after rebuilding
in a clean (Debian main) environment. By skipping the building from
source code we would hide such problems (which can surface very
annoyingly later for the security team, as Joey mentioned). Providing an
additional debian/rules target that nobody uses (until we have a binding
policy for that) would be hypocrisy.


Reply to: