Re: Unofficial buildd network has been shut down

To: debian-devel@lists.debian.org
Subject: Re: Unofficial buildd network has been shut down
From: Ingo Juergensmann <ij@2004.bluespice.org>
Date: Wed, 1 Sep 2004 08:34:36 +0200
Message-id: <[🔎] 20040901063436.GD12778@2004.bluespice.org>
In-reply-to: <[🔎] 20040901053654.GA24577@cloud.net.au>
References: <20040831130326.GK458@riva.ucam.org> <87k6vf8jdl.fsf@toncho.dhh.gt.org> <20040831144011.GH27932@zanclid.redellipse.net> <87acwb8gqb.fsf@toncho.dhh.gt.org> <87fz635m24.fsf@mrvn.homelinux.org> <87wtzf6xiq.fsf@toncho.dhh.gt.org> <87wtzf4235.fsf@mrvn.homelinux.org> <20040831183731.GF16699@riva.ucam.org> <87hdqj3pt2.fsf_-_@mrvn.homelinux.org> <[🔎] 20040901053654.GA24577@cloud.net.au>

On Wed, Sep 01, 2004 at 03:36:54PM +1000, Hamish Moffatt wrote:

> > It saddens me to see that donations of accounts and free cpu cycles to
> > DDs are no longer appreciated by Debian. Any request to (re)build
> > package must now again go solely to <arch>@buildd.debian.org.
> Goswin, the problem isn't that we can't accept donated cycles but that
> we need packages that we can trust, which means built by a developer in
> the Debian keyring.
> It's nothing personal. I don't know the reasons why you weren't accepted
> as a DD and that's not really the issue at hand. But shutting down those
> buildds was the right thing to do I think.

So, you speak of an untrusted relationship between DDs and non-DDs. 

I fully understand that you (as being a DD, in general, not in person) can't
trust non-DDs. 
Therefore I request the removal of:

- all packages ever been built on untrusted hardware. This means at least
all packages built on arrakis, buildd2, wouter-arrakis, buildd-m68_arrakis,
spice, akire, crest, paco, pepe and pancho as well as all other packages
built on any other machine not totally owned and controlled by either a DD
or by DSA. 
- all packages ever being built with a package of the toolchain on each of
the above mentioned machines, especially because Matthias Klose used spice,
arrakis and paco to make development on the gcc suite. 
- all accounts that ever used one of this machines. You can't tell, if they
were compromised. 
- all information on www.debian.org that encourage non-DDs to contribute
anything. 
- all information on www.debian.org about sponsorship and binNMUs. 

Why this?
Because if you don't trust, you have to remove all this stuff. For arrakis
this means that all packages in the archive since arrakis started to work as
a buildd on a non-DD owned hardware can't be trusted. IIRC arrakis started
back in 2000 or 2001. 
Crest was installed by me, an evil & untrustworthy non-DD, so everything
that happened on this machine might have been compromised as well. 
And when you don't trust non-DDs you also should remove all references on
the website that encourage non-DDs to contribute. The contribution will be
untrusted in any way. 

So, when you're seriously concerned about trustworthy computing, you'll need
to do all the above mentioned removals. 

Sounds silly? So, maybe you want to use an alternative:

Start building your trust on the work being done, not just on some obscure
status per se. 

I do trust some non-DDs more than I trust some DDs. Just being a DDs doesn't
mean that you're trustworthy to me. 

-- 
Ciao...              // 
      Ingo         \X/

Reply to:

Follow-Ups:
- Re: Unofficial buildd network has been shut down
  - From: Michael Koch <konqueror@gmx.de>
- Re: Unofficial buildd network has been shut down
  - From: Hamish Moffatt <hamish@debian.org>

References:
- Re: Unofficial buildd network has been shut down
  - From: Hamish Moffatt <hamish@debian.org>

Prev by Date: Re: Unofficial buildd network has been shut down
Next by Date: Re: Unofficial buildd network has been shut down
Previous by thread: Re: Unofficial buildd network has been shut down
Next by thread: Re: Unofficial buildd network has been shut down
Index(es):
- Date
- Thread