[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Dimitrios Apostolou jimis at gmx.net
Wed Jun 16 18:18:59 EDT 2010


On Tue, 15 Jun 2010, Ionuț Bîru wrote:
> i found this annoying since, debugging is more harder, i have to download the 
> resulted package to test it, send it, wait for the pool to come. is a mess :D
>
> even if my system is compromised, we build our packages in clean chroots.

The workflow won't be changing much using a build server: you build and 
rebuild on your own system using a clean chroot, until you are satisfied 
with the result. Then you submit PKGBUILD to the build server and forget 
about it. 99% of the time the build will be successful, since it uses the 
exact same buildchroot you did, the package will be automatically signed 
with the arch-wide key stored safely in the server and will be submitted 
to the repo. 1% of the time something bad happens in the process and you 
get notified by email...

I think the idea of build server is only positive, if we somehow 
find the equipment needed. :-)


Dimitris


More information about the arch-general mailing list