[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using buildds only (was: Results of the meeting...)

On Mon, Aug 22, 2005 at 04:08:47PM +0200, W. Borgert wrote:
> Quoting Hamish Moffatt <hamish@debian.org>:
> > There is the possibility that developer builds get extra features
> > enabled due to other installed libraries etc. This could be checked for
> > by analysing the packages files for different architectures or similar.
> This is a really nice idea: A DD with a strange sense of humour
> could "enable an extra feature" in their binary package, that is
> not in the source code - at least not in the uploaded source.
> Could be a virus, a Trojan horse, a root kit, a time-bomb.  As
> >= 95% of our users have i386, it's easy to generate nice damage.

That isn't what I meant. I meant that the developer might have some
other installed package found by configure and used, which wouldn't be
present in the clean buildd environment.

It may be possible to compare the dependencies of each package across
architectures to detect this - not at upload time, but asynchronously.
(Developers do plenty of other such archive-wide tests now and report
back through the BTS, debian-devel etc.)

Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>

Reply to: