On Tue, 15 Jun 2010, Denis A. AltoƩ Falqueto wrote:
On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou <jimis@gmx.net> wrote:
Moreover, instead of building all packages in the private PCs of developers, I think it is preferable to submit PKGBUILDs to build servers (via web interface maybe) and let the servers do the build + signing + repoupdate... That way if a developer's system gets compromised his packages will stay clean. Of course that needs extra work and equipment, but perhaps we can agree to it as a future target.
Well, in fact, that is the very problem we have. The repository database files are created remotely and I think that we should avoid signing files remotely. In fact, a dev's machine is less visible than the servers of Arch. And sse the response from Ionut too.
Let me just clarify here that by "build server" I mean a machine where developers have *not* shell access (and in fact almost nobody has), and by "package signing" I mean signing with a specific archlinux key which is unknown (the private part) to most devs. Some distros follow that approach to security. What you are proposing is package signing by developer keys, that's a different approach. I am just bringing up alternatives. Dimitris BTW I don't think that building inside a compromised system is in any way secure, even if building inside a chroot.