Re: Recompilation of ALL Debian packages ...

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Mon, 04 Sep 2006, James R. Van Zandt wrote:
> >   You are right, I wrote source-only upload, but obviously 
> >   upload-binary-and-remove-it is better policy.
> 
> I suggest that the uploaded binary be kept temporarily, for two
> purposes:  
> 
>  - Eliminate the wait for the buildd for the first architecture.

Not acceptable.  It will cause a time window where a trojaned binary package
might be active, and since it would later have a new clean one replacing it,
it would be even worse to detect the problem.

If you are to replace the uploaded binary debs with ones rebuilt from
source, do it right: do not install the "untrusted" binary debs to the
archive anywhere, and don't let them get to incoming.d.o, either.

>  - Allow an automated comparison of the two .debs.  This would take

This is worth doing, but difficult to get right.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh