On Fri, Jan 28, 2011 at 9:08 AM, C Anthony Risinger <anthony@xxxxxxxx>wrote: > On Fri, Jan 28, 2011 at 9:51 AM, Thomas S Hatch <thatch45@xxxxxxxxx> > wrote: > > > > Jakob, YES! You are spot on here, one of the main motivations behind a > > system like this is security. While I don't think that this is a problem > > with our developers, I do think that it is a potential future problem, > Arch > > is continuing to grow and at an exponential pace. Security of Arch > packages > > is going to be an increasing issue. I don't want to open up the subject > of > > package signing here, but as a side note, a build system could greatly > aid > > aspects of security ranging from quality control to package signing and > > software verification. > > iiiiiiii don't know about "exponential" ;-) > > while not perfect by any means, tracking the file list (and possibly > sizes too) might be useful as a loose check for validity; if a package > suddenly has new files or is vastly different from previous builds > there might be an issue (not necessarily malicious either). > > i am kind of working on this same thing actually, but for my own > personal mirror; i have many packages that i need auto built for > several of my netbooks/laptops and VMs. it would be nice if the tool > was flexible enough to be used in this manner (personal/closed loop). > right now i'm about to try some bauerbill + makepkg hackzors... if > anyone has done this already i would love to hear about it in a new > thread, because it will save me time :-) > > C Anthony > To be perfectly honest, a great deal of my motivation stems from the fact that I could really use an automated Arch package build server for my infrastructure at work, I have so many servers running Arch that manually maintaining our private repo is a bit of a pain :) But with that said I feel very strongly that my wants as a commercial user of Arch are not on par with the needs of the Arch community in the manner, in fact I would say that my wants from a commercial perspective should be thrown out, I don't want my commercial use of Arch to taint the community, it is one of my greatest fears as an Arch TU and contributor.
