| 1 |
On Mon, Mar 30, 2009 at 10:37 AM, Philipp Riegger <lists@××××××××××××.de> wrote: |
| 2 |
> And how will you find and identify trustworthy people? |
| 3 |
|
| 4 |
I'm going to to cover trust just once. |
| 5 |
|
| 6 |
people who are already verified as being members of the gentoo |
| 7 |
organization. e.g. have an @gentoo.org email. |
| 8 |
|
| 9 |
the same thing that stops you from doing this as a developer, nothing, |
| 10 |
how do I know your patches that you've added with epatch or the sed |
| 11 |
ones don't do this now? this is stupid, you either trust the devs |
| 12 |
working on stuff or you don't. you can't have an in between, if you |
| 13 |
have people working for you that you don't trust you have a huge |
| 14 |
problem. In fact if the toolchain people wanted they could backdoor |
| 15 |
something that ssh relies on to build, or use and leave ssh |
| 16 |
vulnerable, so without a full tree audit it's impossible to know. hell |
| 17 |
if you could patch all editors on the system to not display a line in |
| 18 |
a certain file... how long would it take you to find that? |
| 19 |
|
| 20 |
security is not the issue with binary repositories, please don't |
| 21 |
discuss security as an issue further, we can implement it well enough. |
| 22 |
(currently to hack a bunch of gentoo systems all one has to do is take |
| 23 |
control of a single rsync mirror) |
| 24 |
|
| 25 |
>> For convenience it would be great, if people could tellportage their |
| 26 |
>> builder- ID and have portage upload generated packages automatically. |
| 27 |
|
| 28 |
perhaps it should only be certain packages, you maintain package X |
| 29 |
it's uploaded when you build, the problem comes to what things have |
| 30 |
been built against. |
| 31 |
|
| 32 |
|
| 33 |
what I want to know is how you solve the problem of moving toolchain |
| 34 |
and deps? what if I upgrade glibc on my system? that could totally |
| 35 |
break all binary compatibility with any package, how are you going to |
| 36 |
define what version of what deps a package was built against. |
| 37 |
-- |
| 38 |
Caleb Cushing |
| 39 |
|
| 40 |
http://xenoterracide.blogspot.com |
Archives