Re: Unofficial buildd network has been shut down
Wouter Verhelst <wouter@grep.be> writes:
> On Wed, Sep 01, 2004 at 03:06:45PM +0200, Goswin von Brederlow wrote:
>> If it were personal and Debian had reasons not to trust me that would
>> be OK (well, not for me but in general) but it's not. Its worse. DDs
>> are not allowed to think for themself and decide whom and what systems
>> to trust. That was the message conveyed in the thread and on irc. Its
>> not the place of a DD to decide for all of Debian whom to trust.
>
> Agreed.
>
> However, the issue is not that we don't trust people who are not Debian
> Developers; the issue is that we can't trust everyone on this planet,
> and that we need to draw a line /somewhere/. That line needs to have
> some kind of objectivity to it. No, the whether someone has the
> Developer status isn't fully objective either; but it's the best we've
> got.
The last years Debian had (knowingly or not) enough trust in its DDs
to know when to extend the trust given to them to non DDs as you
yourself have (strange that you agree to the above very blak-and-white
summary but acted against it). Thats how several buildds were started
and added to the pool over the years. And that appear to be now in
question.
> The alternative would be to drop the PGP key checking completely and to
> allow anyone to upload packages. Would you want that?
Absolutely not. The moment Debian did that I would stop using it
myself. Security is flimsy enough as it is.
The alternative is to trust the DDs and to let them continue building
packages on systems they trust. The whole buildd system is based on
trusting the local admin and hoster of the system not to mess with the
buildd.
MfG
Goswin
Reply to: