[arch-general] Question about automated builder
Thomas S Hatch
thatch45 at gmail.com
Sat Jan 29 01:06:20 EST 2011
On Fri, Jan 28, 2011 at 11:28 AM, Thomas S Hatch <thatch45 at gmail.com> wrote:
>
>
> On Fri, Jan 28, 2011 at 11:26 AM, Isaac Dupree <
> ml at isaac.cedarswampstudios.org> wrote:
>
>> On 01/28/11 09:32, Jakob Gruber wrote:
>>
>>> Another aspect of this is security. Right now, any dev / TU could
>>> theoretically check in a correct PKGBUILD but upload a binary package
>>> with *insert malicious content* in it to the repos with a very low
>>> probability of anyone ever noticing. A (mandatory) central build server
>>> could guarantee that the package is actually built with the specified
>>> publically available PKGBUILD.
>>>
>>> I'm not a security expert so please call me out if I'm talking nonsense.
>>>
>>
>> You have to trust all servers that are used for building. (and the servers
>> need to collectively have enough processing power to build everything!) If
>> we take random volunteers then it's not secure. But it can certainly help
>> security in certain ways if done right.
>>
>> ~Isaac
>>
>
> Yes, we cannot take "random" volunteers, but I am confident that we will be
> able to find distributed resources that are secure
>
Ok my fellow Archers, I have a bit of a proposal to chew on, I am not
claiming that it is "done" but it should outline my idea.
This is still very rough, so go easy on me, honestly I think I have put it
together rather quickly and I assume there are holes. If there are places
where you want clarity please let me know and I will fill them in.
I will have a fresh github project up in the morning. This project is highly
compartmentalized, it should be very easy for collaborators to work on
individual components.
Thank you for your support, I am excited to get this put together!
https://wiki.archlinux.org/index.php/Automated_Package_Build_System
-Thomas S Hatch
More information about the arch-general
mailing list