Re: Tainted builds (was Re: usrmerge -- plan B?)

[Michael Stone <mstone@debian.org>]

On Sun, Dec 02, 2018 at 04:28:46PM -0800, Russ Allbery wrote:
> Guillem Jover <guillem@debian.org> writes:
>
> > Whether a package is being built within a chroot or not, has nothing
> > to do with how that installation is being managed IMO. It feels a bit
> > like recording what's the form factor of the machine being run on? :)
>
> I think what people are trying to get at here is "was the package built on
> a system with packages other than build dependencies plus build-essential
> plus essential/required packages installed."
>
> I do think this would be very useful to track, but it's a bit complicated
> to work out, and there are probably a few other exceptions that would need
> to be in place.

And you'd still have cases like "someone installed something in 
/usr/local/bin" and such. Might be easier to just track whether it was 
built in a dsa-maintained autobuilder, so a human can identify potential 
local build environment issues as a possible explanation for unexpected 
behavior because that's really the objective. Might also not be worth 
trying to do that vs existing ways to find out where the package was 
built.