1 |
On 04/09/2014 06:51 PM, Jean-Christophe Bach wrote: |
2 |
> Hi list, |
3 |
> |
4 |
> I was wondering how it works for binary packages when they are compiled: |
5 |
> |
6 |
> Are all binary packages compiled on Gentoo infrastructure after a source |
7 |
> upload from the maintainer, or are there any binary packages compiled on |
8 |
> maintainers computers and then uploaded on Gentoo infra? |
9 |
|
10 |
Could be either. The best way to tell is to look at the SRC_URI line in |
11 |
the ebuild. For example, Firefox comes from Mozilla, while |
12 |
dev-lang/ghc[binary] was built by the maintainer. |
13 |
|
14 |
> In fact, we had lots of trolls^W discussions about this point with |
15 |
> friends and colleagues who use other distros. And there is a security |
16 |
> question: do we allow uploads from developers without being sure the |
17 |
> binary comes from the corresponding sources? (the maintainer may be |
18 |
> malicious, or his computer may be compromised) |
19 |
|
20 |
Every Gentoo developer essentially has root on your box. While that may |
21 |
not make you feel better, it means you don't have to worry about it =) |