Re: Recompilation of ALL Debian packages ...
On Saturday 02 September 2006 02:41, Russ Allbery wrote:
> martin f krafft <email@example.com> writes:
> > The reason I am pushing for this is because of two of my clients, who
> > have been wanting to use Debian for three years now but consciously
> > decided against it, because it is not guaranteed that the sources and
> > the binaries in our archives correspond for all architectures. They are
> > well aware that trojans can still exist, but it's an entirely different
> > thing whether they exist in source and hence in all architectures (which
> > would result in some serious negative feedback or even revocation of
> > upload rights), or just in one of the binaries and hence would be much
> > harder to detect/analyse.
> I honestly think the security argument for doing this is silly.
True, and Martin's reasoning is about consistency across the architectures,
not that much after security, as I read it.
> However, that does not mean I think it's a bad idea. I actually think
> it's a good idea, but for a somewhat different reason. Every single time
> we get ready to release stable, someone builds every package in the
> distribution and then encounters a bunch of FTBFS errors, particularly for
> arch: all packages. Many of those errors were always there and were never
> detected because we don't build arch: all packages anywhere outside the
> maintainer's system.
Fortunately there are lots of people running personal autobuilders and
reporting FTBFS's lately, even in the arch:all packages.
pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB