[arch-general] Question about automated builder

Thomas S Hatch thatch45 at gmail.com
Fri Jan 28 13:28:19 EST 2011

On Fri, Jan 28, 2011 at 11:26 AM, Isaac Dupree <
ml at isaac.cedarswampstudios.org> wrote:

> On 01/28/11 09:32, Jakob Gruber wrote:
>> Another aspect of this is security. Right now, any dev / TU could
>> theoretically check in a correct PKGBUILD but upload a binary package
>> with *insert malicious content* in it to the repos with a very low
>> probability of anyone ever noticing. A (mandatory) central build server
>> could guarantee that the package is actually built with the specified
>> publically available PKGBUILD.
>> I'm not a security expert so please call me out if I'm talking nonsense.
> You have to trust all servers that are used for building. (and the servers
> need to collectively have enough processing power to build everything!)  If
> we take random volunteers then it's not secure.  But it can certainly help
> security in certain ways if done right.
> ~Isaac

Yes, we cannot take "random" volunteers, but I am confident that we will be
able to find distributed resources that are secure

More information about the arch-general mailing list