On Fri, Jan 28, 2011 at 9:08 AM, C Anthony Risinger <anthony@extof.me>wrote:
On Fri, Jan 28, 2011 at 9:51 AM, Thomas S Hatch <thatch45@gmail.com> wrote:
Jakob, YES! You are spot on here, one of the main motivations behind a system like this is security. While I don't think that this is a problem with our developers, I do think that it is a potential future problem,
is continuing to grow and at an exponential pace. Security of Arch
Arch packages
is going to be an increasing issue. I don't want to open up the subject of package signing here, but as a side note, a build system could greatly aid aspects of security ranging from quality control to package signing and software verification.
iiiiiiii don't know about "exponential" ;-)
while not perfect by any means, tracking the file list (and possibly sizes too) might be useful as a loose check for validity; if a package suddenly has new files or is vastly different from previous builds there might be an issue (not necessarily malicious either).
i am kind of working on this same thing actually, but for my own personal mirror; i have many packages that i need auto built for several of my netbooks/laptops and VMs. it would be nice if the tool was flexible enough to be used in this manner (personal/closed loop). right now i'm about to try some bauerbill + makepkg hackzors... if anyone has done this already i would love to hear about it in a new thread, because it will save me time :-)
C Anthony
To be perfectly honest, a great deal of my motivation stems from the fact that I could really use an automated Arch package build server for my infrastructure at work, I have so many servers running Arch that manually maintaining our private repo is a bit of a pain :) But with that said I feel very strongly that my wants as a commercial user of Arch are not on par with the needs of the Arch community in the manner, in fact I would say that my wants from a commercial perspective should be thrown out, I don't want my commercial use of Arch to taint the community, it is one of my greatest fears as an Arch TU and contributor.