[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Ionuț Bîru
biru.ionut at gmail.com
Tue Jun 15 09:59:12 EDT 2010
On 06/15/2010 04:57 PM, Dimitrios Apostolou wrote:
> On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
>> And keep in mind that package signing per se will not solve this kind
>> of problems. Repository database signing is more important for that
>> solution, but is a problem in the current workflow of Arch developers.
>
> How exactly is core and extra database populated?
repo-add reponame.db.tar.gz packagefile.
on the server we have db-core/extra/testing, which checkouts the package
build from svn, compare the version and then copy into the directory and
running repo-add
>
> Moreover, instead of building all packages in the private PCs of
> developers, I think it is preferable to submit PKGBUILDs to build
> servers (via web interface maybe) and let the servers do the build +
> signing + repoupdate... That way if a developer's system gets
> compromised his packages will stay clean. Of course that needs extra
> work and equipment, but perhaps we can agree to it as a future target.
>
i found this annoying since, debugging is more harder, i have to
download the resulted package to test it, send it, wait for the pool to
come. is a mess :D
even if my system is compromised, we build our packages in clean chroots.
--
Ionuț
More information about the arch-general
mailing list