Gentoo Archives: gentoo-user

From: Jean-Christophe Bach <jc.bach@×××××××.org>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Question about binary packages
Date: Wed, 09 Apr 2014 22:52:08
Message-Id: 20140409225152.GF19424@morgoth
1 Hi list,
3 I was wondering how it works for binary packages when they are compiled:
5 Are all binary packages compiled on Gentoo infrastructure after a source
6 upload from the maintainer, or are there any binary packages compiled on
7 maintainers computers and then uploaded on Gentoo infra?
9 In fact, we had lots of trolls^W discussions about this point with
10 friends and colleagues who use other distros. And there is a security
11 question: do we allow uploads from developers without being sure the
12 binary comes from the corresponding sources? (the maintainer may be
13 malicious, or his computer may be compromised) The « binary upload »
14 practice is very common in other distro communities such as Debian.
15 Therefore I would like to know if we also have this flaw in Gentoo.
16 (and what do you think about it)
18 Thank you,
20 JC


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-user] Question about binary packages Michael Orlitzky <mjo@g.o>
Re: [gentoo-user] Question about binary packages Dragostin Yanev <gentoo+user@×××××××.com>