Re: Bits (Nybbles?) from the Vancouver release team meeting
On Mon, Mar 14, 2005 at 11:11:55AM +0100, Sven Luther wrote:
> On Mon, Mar 14, 2005 at 02:12:48AM -0800, Thomas Bushnell BSG wrote:
> > Where human delay did come into play was in getting the xfree86 mess
> > cleaned; in theory it should have taken one or two days, but in
> > practice it took much longer.
>
> Why not fully eliminate the human factor ? Ubuntu does automated build from
> source only uploads, the package sources are built and signed by a developer,
> autobuilt on all arches, and i don't believe they are individually signed
> after that.
Ubuntu is in the happy situation of having a system in a DMZ - i.e. not
network-accessible in general without having to get through other
barriers first - with very few login accounts and full-time maintenance
on which to do auto-signing, and similar systems to act as buildds.
Debian isn't remotely in that position. Auto-signing requires a great
deal of care and thought before blindly enabling it, and certainly it
must not happen on a generally network-accessible machine and it
probably shouldn't happen while the buildds remain generally
network-accessible.
We were in a bad enough situation during the server compromise when it
was discovered that some developers had inadvertently left their private
GPG keys on network-accessible machines with lots of login accounts.
Surely you acknowledge that as a mistake by those developers, and not
something we should be encouraging by making it an essential part of our
infrastructure?
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: