[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [GR] DD should be allowed to perform binary-only uploads

This one time, at band camp, Pierre Habouzit said:
>   I also addressed that part in my mail. The arguments I've read against
> "rogue" buildds are threefold:
>   * security (I _really_ think it's nonsense, as it's not less secure
>     than the usual DD's uploads, which I tried to prove) ;
>   [0] in fact I'd even say that if it's done at the "industrial" scale,
>       there is a lot of chances the person doing it has built an
>       automatized system based on sbuild or another very used system
>       anyway.

I see that someone else has mentioned reproducibility, so we can leave
that part of the argument there.  One thing that strikes me is that in
all of the emails so far, everyone is ignoring that this whole thing
started because Aurelien decided to start autobuilding packages in qemu.

I am sure qemu is very good at what it does, but I do not have faith
that it can stand in for a real CPU in all the corner cases.  If
Aurelien builds a java package that had previously FTBFS'd, do we have
any guarantee that it will build natively?  How is the security team
supposed to support that?

I agree that the way the restriction was implemented was odd, but I can
see the point of it.  I doubt that the occasional one off binNMU is
going to have very much affect on the quality of the archive overall,
but I do have serious misgivings about people setting up rogue
autobuilders on a whim.
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: