[Mageia-dev] Will this work for a build system?
Colin Guthrie
mageia at colin.guthr.ie
Mon Sep 27 11:11:01 CEST 2010
'Twas brillig, and P. Christeas at 27/09/10 08:00 did gyre and gimble:
> On Sunday 26 September 2010, herman wrote:
>> BTW, I once calculated (test plus extrapolation) how long it would take
>> to rebuild every package in Mandriva on a low end 2 GHz Celeron server
>> that I had available and it came to about 80 days.
>
> I, frankly, don't care.
>
> See, that would be the final packaging for a release. In the meanwhile, we
> could exchange our Cauldron packages in a less-secure constellation of build
> machines. If we admit that cauldron rpms are just built by the packagers (but
> also signed etc.), then we take a lot of load off the "release" build cluster.
I really don't like this. It really does not fit in with things. This
would mean that a release would actually require a full rebuild for a
start (this doesn't happen currently).
And it also assumes that any security compromised package build by a
compromised cauldron user in no way impacts the package repository that
will ultimately be used to build the distro itself.
Personally I want my cauldron packages to be just as secure as my
release packages. After all I visit web pages, enter online banking
details, connect to VPN and SSH etc. etc. all via cauldron install.
I really do not thing that any security model should differentiate
between devel & release from a "required security level" perspective.
Col
--
Colin Guthrie
mageia(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mageia Contributor [http://www.mageia.org/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
More information about the Mageia-dev
mailing list