1 |
> Hi list, |
2 |
> |
3 |
> I was wondering how it works for binary packages when they are compiled: |
4 |
> |
5 |
> Are all binary packages compiled on Gentoo infrastructure after a source |
6 |
> upload from the maintainer, or are there any binary packages compiled on |
7 |
> maintainers computers and then uploaded on Gentoo infra? |
8 |
> |
9 |
> In fact, we had lots of trolls^W discussions about this point with |
10 |
> friends and colleagues who use other distros. And there is a security |
11 |
> question: do we allow uploads from developers without being sure the |
12 |
> binary comes from the corresponding sources? (the maintainer may be |
13 |
> malicious, or his computer may be compromised) The « binary upload » |
14 |
> practice is very common in other distro communities such as Debian. |
15 |
> Therefore I would like to know if we also have this flaw in Gentoo. |
16 |
> (and what do you think about it) |
17 |
> |
18 |
> Thank you, |
19 |
> |
20 |
> JC |
21 |
|
22 |
|
23 |
Hi Jean-Christophe Bach, |
24 |
The difference between the Debian, etc distros and Gentoo for me is |
25 |
that Gentoo is source distribution first with the tools to use binary |
26 |
packages later. For instance the way I update my servers is I have a |
27 |
tree mirror and a build server. I can track the changes, compile the |
28 |
packages, test them and finally deploy the built binary packages. |
29 |
Debian has tools to make all this happen too but I don't think it's |
30 |
the standard way. Gentoo keeps me close to the source with all the |
31 |
power to mix and mash versions, patches, etc and unties my hands to |
32 |
take control and responsibility over my systems. I take security very |
33 |
seriously too and I would suggest you take a look at the Gentoo Hardened |
34 |
Project. |
35 |
|
36 |
Regards, |
37 |
Dragostin Yanev |