[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition

I'd like to chime in on this whole build thing.
I've been trying to get pbuilder working for a few days now, on a package from backports. It should be a simple task, but I need a minor modification in the form of an extra repository for dependencies.

It's been incredibly difficult to get the package built.

The process needs some refinement and some minor enhancements at least. I'll be documenting my process soon enough for others to be able to have a reasonable account of the process as it stands now.

On Feb 15, 2014 8:15 AM, "Philipp Kern" <pkern@debian.org> wrote:
On 2014-02-15 15:34, Henrique de Moraes Holschuh wrote:
On Sat, 15 Feb 2014, Philipp Kern wrote:
That's why I was careful to publish the address nowhere. We do some

Unfortunately, that cat is out of the bag, now.  Whether it will get spammed
or attacked, I don't know.

However, it is not like we ever could trust the logs anyway for any security
purposes, as they are not signed by the same key that signed the respective
changes file for the upload.  Currently, they're useful for debug purposes,
and that's it (which is fine).

Yeah, they could be, if sbuild is extended to sign the logs. That said, we do trust our mail-in. We can trust the received headers to some degree (for timestamps and where the mail came from), but we cannot rule out on-disk tampering.

Kind regards
Philipp Kern

To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 43b8290b3d8f1f2f37b01636e93370ad@hub.kern.lc" target="_blank">http://lists.debian.org/43b8290b3d8f1f2f37b01636e93370ad@hub.kern.lc

Reply to: