[Mageia-dev] Will this work for a build system?

Colin Guthrie mageia at colin.guthr.ie
Mon Sep 27 11:11:01 CEST 2010

'Twas brillig, and P. Christeas at 27/09/10 08:00 did gyre and gimble:
> On Sunday 26 September 2010, herman wrote:
>> BTW, I once calculated (test plus extrapolation) how long it would take
>> to rebuild every package in Mandriva on a low end 2 GHz Celeron server
>> that I had available and it came to about 80 days.
> I, frankly, don't care.
> See, that would be the final packaging for a release. In the meanwhile, we 
> could exchange our Cauldron packages in a less-secure constellation of build 
> machines. If we admit that cauldron rpms are just built by the packagers (but 
> also signed etc.), then we take a lot of load off the "release" build cluster.

I really don't like this. It really does not fit in with things. This
would mean that a release would actually require a full rebuild for a
start (this doesn't happen currently).

And it also assumes that any security compromised package build by a
compromised cauldron user in no way impacts the package repository that
will ultimately be used to build the distro itself.

Personally I want my cauldron packages to be just as secure as my
release packages. After all I visit web pages, enter online banking
details, connect to VPN and SSH etc. etc. all via cauldron install.

I really do not thing that any security model should differentiate
between devel & release from a "required security level" perspective.



Colin Guthrie

Day Job:
  Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
  Mageia Contributor [http://www.mageia.org/]
  PulseAudio Hacker [http://www.pulseaudio.org/]
  Trac Hacker [http://trac.edgewall.org/]

More information about the Mageia-dev mailing list