This one time, at band camp, Pierre Habouzit said: > > I also addressed that part in my mail. The arguments I've read against > "rogue" buildds are threefold: > * security (I _really_ think it's nonsense, as it's not less secure > than the usual DD's uploads, which I tried to prove) ; > > [0] in fact I'd even say that if it's done at the "industrial" scale, > there is a lot of chances the person doing it has built an > automatized system based on sbuild or another very used system > anyway. I see that someone else has mentioned reproducibility, so we can leave that part of the argument there. One thing that strikes me is that in all of the emails so far, everyone is ignoring that this whole thing started because Aurelien decided to start autobuilding packages in qemu. I am sure qemu is very good at what it does, but I do not have faith that it can stand in for a real CPU in all the corner cases. If Aurelien builds a java package that had previously FTBFS'd, do we have any guarantee that it will build natively? How is the security team supposed to support that? I agree that the way the restriction was implemented was odd, but I can see the point of it. I doubt that the occasional one off binNMU is going to have very much affect on the quality of the archive overall, but I do have serious misgivings about people setting up rogue autobuilders on a whim. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature