On Fri, Jan 28, 2011 at 11:28 AM, Thomas S Hatch <thatch45@gmail.com> wrote:
On Fri, Jan 28, 2011 at 11:26 AM, Isaac Dupree < ml@isaac.cedarswampstudios.org> wrote:
On 01/28/11 09:32, Jakob Gruber wrote:
Another aspect of this is security. Right now, any dev / TU could theoretically check in a correct PKGBUILD but upload a binary package with *insert malicious content* in it to the repos with a very low probability of anyone ever noticing. A (mandatory) central build server could guarantee that the package is actually built with the specified publically available PKGBUILD.
I'm not a security expert so please call me out if I'm talking nonsense.
You have to trust all servers that are used for building. (and the servers need to collectively have enough processing power to build everything!) If we take random volunteers then it's not secure. But it can certainly help security in certain ways if done right.
~Isaac
Yes, we cannot take "random" volunteers, but I am confident that we will be able to find distributed resources that are secure
Ok my fellow Archers, I have a bit of a proposal to chew on, I am not claiming that it is "done" but it should outline my idea. This is still very rough, so go easy on me, honestly I think I have put it together rather quickly and I assume there are holes. If there are places where you want clarity please let me know and I will fill them in. I will have a fresh github project up in the morning. This project is highly compartmentalized, it should be very easy for collaborators to work on individual components. Thank you for your support, I am excited to get this put together! https://wiki.archlinux.org/index.php/Automated_Package_Build_System -Thomas S Hatch