[arch-general] Question about automated builder
C Anthony Risinger
anthony at extof.me
Fri Jan 28 11:08:44 EST 2011
On Fri, Jan 28, 2011 at 9:51 AM, Thomas S Hatch <thatch45 at gmail.com> wrote:
>
> Jakob, YES! You are spot on here, one of the main motivations behind a
> system like this is security. While I don't think that this is a problem
> with our developers, I do think that it is a potential future problem, Arch
> is continuing to grow and at an exponential pace. Security of Arch packages
> is going to be an increasing issue. I don't want to open up the subject of
> package signing here, but as a side note, a build system could greatly aid
> aspects of security ranging from quality control to package signing and
> software verification.
iiiiiiii don't know about "exponential" ;-)
while not perfect by any means, tracking the file list (and possibly
sizes too) might be useful as a loose check for validity; if a package
suddenly has new files or is vastly different from previous builds
there might be an issue (not necessarily malicious either).
i am kind of working on this same thing actually, but for my own
personal mirror; i have many packages that i need auto built for
several of my netbooks/laptops and VMs. it would be nice if the tool
was flexible enough to be used in this manner (personal/closed loop).
right now i'm about to try some bauerbill + makepkg hackzors... if
anyone has done this already i would love to hear about it in a new
thread, because it will save me time :-)
C Anthony
More information about the arch-general
mailing list