Re: Results of the meeting in Helsinki about the Vancouver proposal
On Mon, Aug 22, 2005 at 12:52:06PM +0200, Sven Luther wrote:
> On Mon, Aug 22, 2005 at 11:51:55AM +0200, Aurelien Jarno wrote:
> > Sven Luther a écrit :
> > >All packages should be built by official debian buildds anyway, not on
> > >developper machines with random cruft and unsecure packages installed, or
> > >even
> > >possibly experimental or home-modified stuff.
> > What about packages built on developer machines, but using the same
> > software as on the official debian buildds? I mean using sbuild in a
> > dedicated chroot. I sometimes do that for my packages when buildd are
> > lagging or when a package fails to build because of missing dependencies.
> Should be ok, but the security level would still be higher using only official
> buildds and centraly controled.
Really? The maintainer can still embed "rm -rf /" in the postinst either
way. We need to be able to trust developers.
Similarly, sponsored packages should be rebuilt because the project
hasn't decided to official trust those contributors.
Hamish Moffatt VK3SB <email@example.com> <firstname.lastname@example.org>