Re: The unofficial buildd effort and its shutdown - my POV

To: debian-devel@lists.debian.org
Subject: Re: The unofficial buildd effort and its shutdown - my POV
From: Frank Küster <frank@debian.org>
Date: Tue, 07 Sep 2004 10:43:15 +0200
Message-id: <[🔎] 874qmaii58.fsf@alhambra.bioz.unibas.ch>
In-reply-to: <[🔎] 20040906213931.GA29436@riva.ucam.org> (Colin Watson's message of "Mon, 6 Sep 2004 22:39:31 +0100")
References: <[🔎] 87r7piro9w.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 87hdqdgb0i.fsf@mrvn.homelinux.org> <[🔎] 87acw5g9gr.fsf@windlord.stanford.edu> <[🔎] 20040904195913.GD8685@2004.bluespice.org> <[🔎] 87d611elv5.fsf@windlord.stanford.edu> <[🔎] 20040905055321.GF8685@2004.bluespice.org> <[🔎] 87d6111cci.fsf@becket.becket.net> <[🔎] 87656tku2r.fsf@mrvn.homelinux.org> <[🔎] 20040906035924.GN10354@mauritius.dodds.net> <[🔎] 874qmb5bxm.fsf@mrvn.homelinux.org> <[🔎] 20040906213931.GA29436@riva.ucam.org>

Hi,

I'm reading this discussion (did anybody call it a flamewar? It isn't)
with interest, and I don't have any particular feelings for any of the
persons or opinions involved.

Colin Watson <cjwatson@debian.org> wrote:

> On Mon, Sep 06, 2004 at 11:23:33PM +0200, Goswin von Brederlow wrote:
>> Steve Langasek <vorlon@debian.org> writes:
>> >
>> > I'm afraid I didn't see anyone telling you to stop, even upon rereading
>> > the thread; only people expressing concerns.  What I did notice was you
>> > curiously overstating the impact of these unofficial builds, to wit:
>> 
>> Collin Watson: "I would simply like this practice to stop immediately."
>> http://lists.debian.org/debian-devel/2004/08/msg01903.html
>> 
>> I interpret that as a polite way of telling me to stop.
>
> Since you quoted me, a point of information: sponsored binary uploads
> are not the same as unofficial buildds, and I was talking strictly about
> the former. If you hadn't quoted the smallest possible part of my mail
> then this would have been obvious to readers. Various people seem to be
> conflating the two issues, though.

I must say I cannot see the difference between sponsored binary uploads
and an unofficial buildd run by a non-DD, except in quantity.

I think in both cases a high degree of trust is required. No one would
like a buildd run on a machine of some guy, who is active on a porters'
mailing list for two weeks and then says "Ah, you need more buildds? I
have one machine here, permanently online, do you want it?"

The buildd machines have to be trusted. Their admins have to be trusted
a) not to try to introduce malicious code and b) to administer their
machines good enough to minimize the risk of a compromise.

There should be some kind of double check for that trust, e.g. an
explicit decision of the ftp-masters and of the porters'
mailinglist. But if this trust relationship has been established, I do
not see why a binary NMU prepared on one of those machines by one of the
machine's admins, or by a DD with an account there, should be trusted
less than the autobuilded packages signed by the DD with the account.

Regards, Frank

-- 
Frank Küster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie

Reply to:

Follow-Ups:
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>

References:
- Re: Bug#241689: I'm going to NMU this
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Bug#241689: I'm going to NMU this
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Bug#241689: I'm going to NMU this
  - From: Russ Allbery <rra@stanford.edu>
- The unofficial buildd effort and its shutdown - my POV (was: Bug#241689: I'm going to NMU this)
  - From: Ingo Juergensmann <ij@2004.bluespice.org>
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Russ Allbery <rra@stanford.edu>
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Ingo Juergensmann <ij@2004.bluespice.org>
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Steve Langasek <vorlon@debian.org>
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: The unofficial buildd effort and its shutdown - my POV
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: Incorrect use of "it's" in package control files -- file mass bug?
Next by Date: Re: Getting Translations into Testing
Previous by thread: Re: The unofficial buildd effort and its shutdown - my POV
Next by thread: Re: The unofficial buildd effort and its shutdown - my POV
Index(es):
- Date
- Thread