Re: Recompilation of ALL Debian packages ...
martin f krafft <madduck@debian.org> writes:
> The reason I am pushing for this is because of two of my clients, who
> have been wanting to use Debian for three years now but consciously
> decided against it, because it is not guaranteed that the sources and
> the binaries in our archives correspond for all architectures. They are
> well aware that trojans can still exist, but it's an entirely different
> thing whether they exist in source and hence in all architectures (which
> would result in some serious negative feedback or even revocation of
> upload rights), or just in one of the binaries and hence would be much
> harder to detect/analyse.
I honestly think the security argument for doing this is silly.
However, that does not mean I think it's a bad idea. I actually think
it's a good idea, but for a somewhat different reason. Every single time
we get ready to release stable, someone builds every package in the
distribution and then encounters a bunch of FTBFS errors, particularly for
arch: all packages. Many of those errors were always there and were never
detected because we don't build arch: all packages anywhere outside the
maintainer's system. Similarly, there have been packages in the archive
with significantly different configured features and library dependencies
on x86 than on any other platform because of where the maintainer built
the package.
So I'm not disagreeing with the goal. I just don't like the security
argument for it and don't find it persuasive. But I would vote in favor
of building all *.debs on central build servers. (Whether we still
require a *.deb during upload is actually a separate question -- I think
there's an argument, perhaps not persuasive, in favor of requiring that
the upload contain built packages for at least one platform as a basic
sanity check but just throwing away that build after verifying it exists.)
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: