[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tainted builds (was Re: usrmerge -- plan B?)

On Sun, Dec 02, 2018 at 04:28:46PM -0800, Russ Allbery wrote:
Guillem Jover <guillem@debian.org> writes:

Whether a package is being built within a chroot or not, has nothing
to do with how that installation is being managed IMO. It feels a bit
like recording what's the form factor of the machine being run on? :)

I think what people are trying to get at here is "was the package built on
a system with packages other than build dependencies plus build-essential
plus essential/required packages installed."

I do think this would be very useful to track, but it's a bit complicated
to work out, and there are probably a few other exceptions that would need
to be in place.

And you'd still have cases like "someone installed something in /usr/local/bin" and such. Might be easier to just track whether it was built in a dsa-maintained autobuilder, so a human can identify potential local build environment issues as a possible explanation for unexpected behavior because that's really the objective. Might also not be worth trying to do that vs existing ways to find out where the package was built.

Reply to: