| 1 |
> Hi list, |
| 2 |
> |
| 3 |
> I was wondering how it works for binary packages when they are compiled: |
| 4 |
> |
| 5 |
> Are all binary packages compiled on Gentoo infrastructure after a source |
| 6 |
> upload from the maintainer, or are there any binary packages compiled on |
| 7 |
> maintainers computers and then uploaded on Gentoo infra? |
| 8 |
> |
| 9 |
> In fact, we had lots of trolls^W discussions about this point with |
| 10 |
> friends and colleagues who use other distros. And there is a security |
| 11 |
> question: do we allow uploads from developers without being sure the |
| 12 |
> binary comes from the corresponding sources? (the maintainer may be |
| 13 |
> malicious, or his computer may be compromised) The « binary upload » |
| 14 |
> practice is very common in other distro communities such as Debian. |
| 15 |
> Therefore I would like to know if we also have this flaw in Gentoo. |
| 16 |
> (and what do you think about it) |
| 17 |
> |
| 18 |
> Thank you, |
| 19 |
> |
| 20 |
> JC |
| 21 |
|
| 22 |
|
| 23 |
Hi Jean-Christophe Bach, |
| 24 |
The difference between the Debian, etc distros and Gentoo for me is |
| 25 |
that Gentoo is source distribution first with the tools to use binary |
| 26 |
packages later. For instance the way I update my servers is I have a |
| 27 |
tree mirror and a build server. I can track the changes, compile the |
| 28 |
packages, test them and finally deploy the built binary packages. |
| 29 |
Debian has tools to make all this happen too but I don't think it's |
| 30 |
the standard way. Gentoo keeps me close to the source with all the |
| 31 |
power to mix and mash versions, patches, etc and unties my hands to |
| 32 |
take control and responsibility over my systems. I take security very |
| 33 |
seriously too and I would suggest you take a look at the Gentoo Hardened |
| 34 |
Project. |
| 35 |
|
| 36 |
Regards, |
| 37 |
Dragostin Yanev |
Archives