Re: Question about build dependencies.

[Brian May <bam@debian.org>]

>>>>> "Marcus" == Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> writes:

    Marcus> On Mon, Dec 17, 2001 at 05:19:07PM -0500, Joey Hess wrote:
    >> Anyway, one can put a cvs checkout in the build rule w/o
    >> breaking any autobuilders, if you're really
    >> careful. base-config has had this for ages, without causing any
    >> problems:

    Marcus> Sure.  But it does open a security risk.  If people manage
    Marcus> to trick the builder into downloading files from their
    Marcus> server instead the real one, and use them for building the
    Marcus> package, this can lead to serious problems.

Another problem is that there is no guarantee that the same source
code will be used for every architecture, depending on the timing the
autobuild has taken place.

This, I believe, is probably the most likely and most serious problem,
there is only one tar.gz file for all architectures...

Perhaps the autobuilders should (if they don't do so already) check
that nothing in the source code has changed from the downloaded *.dsc,
*.tar.gz and *.diff.gz files?

(might be a problem for autobuilt rebuilt files, eg. autoconf and
automake, though)
-- 
Brian May <bam@debian.org>