On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote:
On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou <jimis@xxxxxxx> wrote:
Moreover, instead of building all packages in the private PCs of developers,
I think it is preferable to submit PKGBUILDs to build servers (via web
interface maybe) and let the servers do the build + signing + repoupdate...
That way if a developer's system gets compromised his packages will stay
clean. Of course that needs extra work and equipment, but perhaps we can
agree to it as a future target.
Well, in fact, that is the very problem we have. The repository
database files are created remotely and I think that we should avoid
signing files remotely. In fact, a dev's machine is less visible than
the servers of Arch. And sse the response from Ionut too.
Let me just clarify here that by "build server" I mean a machine where
developers have *not* shell access (and in fact almost nobody has), and by
"package signing" I mean signing with a specific archlinux key which is
unknown (the private part) to most devs. Some distros follow that approach
to security.
What you are proposing is package signing by developer keys,
that's a different approach. I am just bringing up alternatives.
Dimitris
BTW I don't think that building inside a compromised system is in any way
secure, even if building inside a chroot.
