[Mageia-dev] Will this work for a build system?
R James
upsnag2 at gmail.com
Mon Sep 27 17:16:18 CEST 2010
On Mon, Sep 27, 2010 at 5:31 AM, Buchan Milne <bgmilne at multilinks.com> wrote:
>
> IMHO, you should also keep the public keys of tarball signers. Please have a
> look at the samba SPEC file, which does verification of the tarball signature
> during %prep. In conjunction with the existing build tools (repsys/mdvsys
> etc.), a single command ('mdvsys update samba xxx') currently (usually)
> updates and submits the package, and building it at any time validates the
> source tarball.
>
> Actually, I still need to petition other security-sensitive packages which
> have previously said that tarball signing is irrelevant (due to the problem of
> first establishing trust of public keys etc.).
>
For the initial launch of Mageia, I understand the benefits of having
a trusted build system in a controlled data center. Its safe, simple
and when the initial deployment issues arise, physical access to the
servers may be required.
However, if a system is devised which allows known/trusted
contributors to provide good hardware and bandwidth for package
building, I'd be very willing to participate. :-)
Thanks again,
Rick
More information about the Mageia-dev
mailing list