On Fri, Jan 28, 2011 at 11:28 AM, Thomas S Hatch <thatch45@xxxxxxxxx> wrote: > > > On Fri, Jan 28, 2011 at 11:26 AM, Isaac Dupree < > ml@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > >> On 01/28/11 09:32, Jakob Gruber wrote: >> >>> Another aspect of this is security. Right now, any dev / TU could >>> theoretically check in a correct PKGBUILD but upload a binary package >>> with *insert malicious content* in it to the repos with a very low >>> probability of anyone ever noticing. A (mandatory) central build server >>> could guarantee that the package is actually built with the specified >>> publically available PKGBUILD. >>> >>> I'm not a security expert so please call me out if I'm talking nonsense. >>> >> >> You have to trust all servers that are used for building. (and the servers >> need to collectively have enough processing power to build everything!) If >> we take random volunteers then it's not secure. But it can certainly help >> security in certain ways if done right. >> >> ~Isaac >> > > Yes, we cannot take "random" volunteers, but I am confident that we will be > able to find distributed resources that are secure > Ok my fellow Archers, I have a bit of a proposal to chew on, I am not claiming that it is "done" but it should outline my idea. This is still very rough, so go easy on me, honestly I think I have put it together rather quickly and I assume there are holes. If there are places where you want clarity please let me know and I will fill them in. I will have a fresh github project up in the morning. This project is highly compartmentalized, it should be very easy for collaborators to work on individual components. Thank you for your support, I am excited to get this put together! https://wiki.archlinux.org/index.php/Automated_Package_Build_System -Thomas S Hatch
