[arch-general] Question about automated builder

Thomas S Hatch thatch45 at gmail.com
Sat Jan 29 01:06:20 EST 2011


On Fri, Jan 28, 2011 at 11:28 AM, Thomas S Hatch <thatch45 at gmail.com> wrote:

>
>
> On Fri, Jan 28, 2011 at 11:26 AM, Isaac Dupree <
> ml at isaac.cedarswampstudios.org> wrote:
>
>> On 01/28/11 09:32, Jakob Gruber wrote:
>>
>>> Another aspect of this is security. Right now, any dev / TU could
>>> theoretically check in a correct PKGBUILD but upload a binary package
>>> with *insert malicious content* in it to the repos with a very low
>>> probability of anyone ever noticing. A (mandatory) central build server
>>> could guarantee that the package is actually built with the specified
>>> publically available PKGBUILD.
>>>
>>> I'm not a security expert so please call me out if I'm talking nonsense.
>>>
>>
>> You have to trust all servers that are used for building. (and the servers
>> need to collectively have enough processing power to build everything!)  If
>> we take random volunteers then it's not secure.  But it can certainly help
>> security in certain ways if done right.
>>
>> ~Isaac
>>
>
> Yes, we cannot take "random" volunteers, but I am confident that we will be
> able to find distributed resources that are secure
>

Ok my fellow Archers, I have a bit of a proposal to chew on, I am not
claiming that it is "done" but it should outline my idea.

This is still very rough, so go easy on me, honestly I think I have put it
together rather quickly and I assume there are holes. If there are places
where you want clarity please let me know and I will fill them in.

I will have a fresh github project up in the morning. This project is highly
compartmentalized, it should be very easy for collaborators to work on
individual components.

Thank you for your support, I am excited to get this put together!

https://wiki.archlinux.org/index.php/Automated_Package_Build_System

-Thomas S Hatch


More information about the arch-general mailing list