[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Circular build dependency in maven-plugin-tools

* Vincent Fourmond:

>   Imagine there is a huge security hole in this package. Do you really
> think the security team will want to use the *problematic* package to
> build a *clean* one ?

The machines we use for building have no untrusted local users, and
only restricted networking.

Of course, we still lose if it is genuinely backdoored, but this
totally unrelated to the circular build dependency.

And from a DFSG compliance perspective, I prefer a circular build
dependency over bootstrapping from a blob in the source package.

Reply to: