On Fri, Jan 28, 2011 at 9:51 AM, Thomas S Hatch <thatch45@gmail.com> wrote:
Jakob, YES! You are spot on here, one of the main motivations behind a system like this is security. While I don't think that this is a problem with our developers, I do think that it is a potential future problem, Arch is continuing to grow and at an exponential pace. Security of Arch packages is going to be an increasing issue. I don't want to open up the subject of package signing here, but as a side note, a build system could greatly aid aspects of security ranging from quality control to package signing and software verification.
iiiiiiii don't know about "exponential" ;-) while not perfect by any means, tracking the file list (and possibly sizes too) might be useful as a loose check for validity; if a package suddenly has new files or is vastly different from previous builds there might be an issue (not necessarily malicious either). i am kind of working on this same thing actually, but for my own personal mirror; i have many packages that i need auto built for several of my netbooks/laptops and VMs. it would be nice if the tool was flexible enough to be used in this manner (personal/closed loop). right now i'm about to try some bauerbill + makepkg hackzors... if anyone has done this already i would love to hear about it in a new thread, because it will save me time :-) C Anthony