[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Dimitrios Apostolou
jimis at gmx.net
Wed Jun 16 18:18:59 EDT 2010
On Tue, 15 Jun 2010, Ionuț Bîru wrote:
> i found this annoying since, debugging is more harder, i have to download the
> resulted package to test it, send it, wait for the pool to come. is a mess :D
>
> even if my system is compromised, we build our packages in clean chroots.
The workflow won't be changing much using a build server: you build and
rebuild on your own system using a clean chroot, until you are satisfied
with the result. Then you submit PKGBUILD to the build server and forget
about it. 99% of the time the build will be successful, since it uses the
exact same buildchroot you did, the package will be automatically signed
with the arch-wide key stored safely in the server and will be submitted
to the repo. 1% of the time something bad happens in the process and you
get notified by email...
I think the idea of build server is only positive, if we somehow
find the equipment needed. :-)
Dimitris
More information about the arch-general
mailing list