1 |
On Mon, Mar 30, 2009 at 10:37 AM, Philipp Riegger <lists@××××××××××××.de> wrote: |
2 |
> And how will you find and identify trustworthy people? |
3 |
|
4 |
I'm going to to cover trust just once. |
5 |
|
6 |
people who are already verified as being members of the gentoo |
7 |
organization. e.g. have an @gentoo.org email. |
8 |
|
9 |
the same thing that stops you from doing this as a developer, nothing, |
10 |
how do I know your patches that you've added with epatch or the sed |
11 |
ones don't do this now? this is stupid, you either trust the devs |
12 |
working on stuff or you don't. you can't have an in between, if you |
13 |
have people working for you that you don't trust you have a huge |
14 |
problem. In fact if the toolchain people wanted they could backdoor |
15 |
something that ssh relies on to build, or use and leave ssh |
16 |
vulnerable, so without a full tree audit it's impossible to know. hell |
17 |
if you could patch all editors on the system to not display a line in |
18 |
a certain file... how long would it take you to find that? |
19 |
|
20 |
security is not the issue with binary repositories, please don't |
21 |
discuss security as an issue further, we can implement it well enough. |
22 |
(currently to hack a bunch of gentoo systems all one has to do is take |
23 |
control of a single rsync mirror) |
24 |
|
25 |
>> For convenience it would be great, if people could tellportage their |
26 |
>> builder- ID and have portage upload generated packages automatically. |
27 |
|
28 |
perhaps it should only be certain packages, you maintain package X |
29 |
it's uploaded when you build, the problem comes to what things have |
30 |
been built against. |
31 |
|
32 |
|
33 |
what I want to know is how you solve the problem of moving toolchain |
34 |
and deps? what if I upgrade glibc on my system? that could totally |
35 |
break all binary compatibility with any package, how are you going to |
36 |
define what version of what deps a package was built against. |
37 |
-- |
38 |
Caleb Cushing |
39 |
|
40 |
http://xenoterracide.blogspot.com |