| 1 |
On 04/09/2014 06:51 PM, Jean-Christophe Bach wrote: |
| 2 |
> Hi list, |
| 3 |
> |
| 4 |
> I was wondering how it works for binary packages when they are compiled: |
| 5 |
> |
| 6 |
> Are all binary packages compiled on Gentoo infrastructure after a source |
| 7 |
> upload from the maintainer, or are there any binary packages compiled on |
| 8 |
> maintainers computers and then uploaded on Gentoo infra? |
| 9 |
|
| 10 |
Could be either. The best way to tell is to look at the SRC_URI line in |
| 11 |
the ebuild. For example, Firefox comes from Mozilla, while |
| 12 |
dev-lang/ghc[binary] was built by the maintainer. |
| 13 |
|
| 14 |
> In fact, we had lots of trolls^W discussions about this point with |
| 15 |
> friends and colleagues who use other distros. And there is a security |
| 16 |
> question: do we allow uploads from developers without being sure the |
| 17 |
> binary comes from the corresponding sources? (the maintainer may be |
| 18 |
> malicious, or his computer may be compromised) |
| 19 |
|
| 20 |
Every Gentoo developer essentially has root on your box. While that may |
| 21 |
not make you feel better, it means you don't have to worry about it =) |
Archives