[arch-general] Question about automated builder
jakob.gruber at gmail.com
Fri Jan 28 09:32:07 EST 2011
Another aspect of this is security. Right now, any dev / TU could
theoretically check in a correct PKGBUILD but upload a binary package
with *insert malicious content* in it to the repos with a very low
probability of anyone ever noticing. A (mandatory) central build server
could guarantee that the package is actually built with the specified
publically available PKGBUILD.
I'm not a security expert so please call me out if I'm talking nonsense.
More information about the arch-general