[arch-general] Question about automated builder

Jakob Gruber jakob.gruber at gmail.com
Fri Jan 28 09:32:07 EST 2011

Another aspect of this is security. Right now, any dev / TU could 
theoretically check in a correct PKGBUILD but upload a binary package 
with *insert malicious content* in it to the repos with a very low 
probability of anyone ever noticing. A (mandatory) central build server 
could guarantee that the package is actually built with the specified 
publically available PKGBUILD.

I'm not a security expert so please call me out if I'm talking nonsense.

More information about the arch-general mailing list