From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/20100926/000271.html | 111 ++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 zarb-ml/mageia-dev/20100926/000271.html (limited to 'zarb-ml/mageia-dev/20100926/000271.html') diff --git a/zarb-ml/mageia-dev/20100926/000271.html b/zarb-ml/mageia-dev/20100926/000271.html new file mode 100644 index 000000000..6524d8fb1 --- /dev/null +++ b/zarb-ml/mageia-dev/20100926/000271.html @@ -0,0 +1,111 @@ + + + + [Mageia-dev] Will this work for a build system? + + + + + + + + + +

[Mageia-dev] Will this work for a build system?

+ Giuseppe Ghibò + ghibomgx at gmail.com +
+ Sun Sep 26 19:14:15 CEST 2010 +

+
+ +
2010/9/26 nicolas vigier <boklm at mars-attacks.org>
+
+> On Sun, 26 Sep 2010, joris dedieu wrote:
+>
+> > 2010/9/26 Olivier Blin <mageia at blino.org>:
+> > >
+> > > Because there are some authentication and integrity issues which are
+> not
+> > > simple to solve: we have to be sure that the binary packages really
+> come
+> > > from the unmodified SRPM (so that it does not contains malware).
+> >
+> > This can be avoid by
+> > - building every package twice (also useful for integrity check)
+>
+> Then you can still do it with two hosts adding malware instead of one.
+>
+
+What this means? Two RPMs built at different time will result different,
+even the executable binaries when built on the same hardware at different
+time might be different (because of timestamps, etc.).
+
+IMHO the idea of the cloud is not that bad but need to be rethinked. I don't
+see so much flaws for security. If you inspire to what repsys is right now,
+the cloud would be like having several svn repositories mirrored around the
+world each one with a local iurt/repsys building system (it might be even
+partial, e.g. there could be BIG ones holding the whole svn|git tree, and
+smaller one holding just the latest release or the latest two releases,
+etc.). Each building system around the world will sign packages they build
+with their own signing keys and you know where they come from. And packages
+won't be resigned by a supposed master. Of course you have to trust their
+administrators, exactly like you right now have to trust single users
+submitting sources to the svn and bulding packages.
+
+The most difficult things IMHO would be building from the same syncronized
+data. In that case you might choose a master server and several mirrors. The
+master might have multiple internet access points (e.g. from two providers)
+and will be the only one who might receive svn commits. Or a model without a
+master, I guess inspiring to a model what UseNET is (was), I think a lot
+more complicate. But in that case you have two direction of feeding and if
+two libraries are submitted in different user in nearest time, you need a
+system to check for coerency and set alarms in some cases.
+
+IMHO one of the building problems was not massive automatic rebuilding but
+avoid bottenlecks to the users when building goes wrong.
+
+Bye
+Giuseppe.
+-------------- next part --------------
+An HTML attachment was scrubbed...
+URL: </pipermail/mageia-dev/attachments/20100926/88900d00/attachment.html>
+
+ + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1