Re: RPM

To: Nicolás Lichtmaier <nick@Feedback.com.ar>
Cc: Bruce Perens <bruce@pixar.com>, meierrj@frc.com, debian-user@lists.debian.org
Subject: Re: RPM
From: Paul Wade <paulwade@greenbush.com>
Date: Wed, 2 Apr 1997 18:29:43 -0500 (EST)
Message-id: <[🔎] Pine.LNX.3.96.970402180114.1373B-100000@greenbush.greenbush.lan>
In-reply-to: <[🔎] Pine.LNX.3.95q.970402175246.1195A-100000@newton>

On Wed, 2 Apr 1997, [iso-8859-1] Nicolás Lichtmaier wrote:

> On Wed, 2 Apr 1997, Bruce Perens wrote:
> 
> > Unfortunately, I feel that Debian must bear the cost of certification
> > of maintainers and original authors. Unless I can tell someone I know
> > where a program came from, no other security procedures can be trusted
> > to have any effectiveness whatsoever.
> 
>  Yes, they are. Testing, and revising developers diffs. If you could check
> package MD5 (someday we'll be able to do this =) ), you'll only need to
> see the diff.gz to check for security problems (Asuming we can trust the
> mainstream developer).
>  The proble left is: The .deb uploaded can be generated by a source not
> included in the source package. It would be great if gcc placed some kind
> of signature in binaries... but it doesn't... So.. what can we do? I say:
> let's make all developers upload only the source versions of their
> packages! An automated script can compile all the packages in some trusted
> environment.

I agree 100% with this approach. If the "pristine" source is not uploaded
by the developer, there is less source to review. The same type of
automation is needed by users. I would love to have a package that checks
my dpkg database and recompiles all installed programs in the background.
It should create a deb package by default. This would be great for getting
all the binaries optimized for a machine. My first stab at Debian was with
a pre-1.1 disk set. It was compiled for 486 and said "giving up" on my 386
test box. I had to switch my hardware around to evaluate Debian (well
worth the hassle). Such an automated system would correct such oversights.
The recent bo disks setup some unknown owner:group combinations. This
could possibly be prevented by checking against the base passwd and group
files.

As far as building programs in general goes, I think everybody should do a
make of Perl at least once. It is a great example of how to configure,
build, test, and install a package.

Paul Wade - Greenbush Technologies Corporation
http://www.greenbush.com/cds.html
Linux CD's sent worldwide

Reply to:

References:
- Re: RPM
  - From: Nicolás Lichtmaier <nick@Feedback.com.ar>

Prev by Date: Re: Dump hangs on my system
Next by Date: Re: Dump hangs on my system
Previous by thread: Re: RPM
Next by thread: Re: RPM
Index(es):
- Date
- Thread