[Mageia-dev] Will this work for a build system?

Mon Sep 27 11:11:01 CEST 2010

'Twas brillig, and P. Christeas at 27/09/10 08:00 did gyre and gimble:
+> On Sunday 26 September 2010, herman wrote:
+>> BTW, I once calculated (test plus extrapolation) how long it would take
+>> to rebuild every package in Mandriva on a low end 2 GHz Celeron server
+>> that I had available and it came to about 80 days.
+> 
+> I, frankly, don't care.
+> 
+> See, that would be the final packaging for a release. In the meanwhile, we 
+> could exchange our Cauldron packages in a less-secure constellation of build 
+> machines. If we admit that cauldron rpms are just built by the packagers (but 
+> also signed etc.), then we take a lot of load off the "release" build cluster.
+
+I really don't like this. It really does not fit in with things. This
+would mean that a release would actually require a full rebuild for a
+start (this doesn't happen currently).
+
+And it also assumes that any security compromised package build by a
+compromised cauldron user in no way impacts the package repository that
+will ultimately be used to build the distro itself.
+
+Personally I want my cauldron packages to be just as secure as my
+release packages. After all I visit web pages, enter online banking
+details, connect to VPN and SSH etc. etc. all via cauldron install.
+
+I really do not thing that any security model should differentiate
+between devel & release from a "required security level" perspective.
+
+Col
+
+
+
+-- 
+
+Colin Guthrie
+mageia(at)colin.guthr.ie
+http://colin.guthr.ie/
+
+Day Job:
+  Tribalogic Limited [http://www.tribalogic.net/]
+Open Source:
+  Mageia Contributor [http://www.mageia.org/]
+  PulseAudio Hacker [http://www.pulseaudio.org/]
+  Trac Hacker [http://trac.edgewall.org/]
+