Re: Proposal for collaborative maintenance of packages
On Thu, Dec 29, 2005 at 02:14:14PM +1100, skaller wrote:
> On Wed, 2005-12-28 at 20:44 -0500, Justin Pryzby wrote:
> > > EG: My comp is on the net sometimes and sitting here idle.
> > > I'd be happy if Debian used it occasionally to build binaries.
> > > Where is the web page telling me how to advise Debian autobuilder
> > > how to access my comp??
> > That won't happen. Debian developers, by whatever definition, is
> > accountable ethically if not legally for packages we distribute.
> > AFAIK that is one reason why we distribute free software :)
> > We're also responsible for not distributing malware in our packages,
> > and, whereas I would love to have an absolute trust in the goodwill of
> > mankind, I recognize that it isn't feasible to allow autobuilding on
> > arbitrary hosts.
> You assumed that ONE machine would be blindly trusted to build a
> binary package. Did I say that?? :)
> You'd want at least 3 to produce identical results, and
> you'd only use this mechanism for Unstable type stuff.
This typically isn't possible to do. Different machines will, oddly enough,
often produce slightly different results from a package build, due to the
embedding of various bits of data in the output (such as timestamps inside
> The final distro would of course still be built under
> more controlled conditions.
So we then need to throw *massive* amounts of processing power at compiling
over 10,000 packages (some of which can take up to a day, even on modern
hardware) for a short period of time. People already complain that Debian
is outdated when it's released -- this isn't going to help matters. Not to
mention the old "Trusting Trust" attack (and if you don't know what I'm
talking about, it's time to stop talking and break out the research cap).