Toshio Kuratomi wrote:
(...)
3) Protecting the toolchain from being built with malicious code.
If the packages are going to be rebuilt fresh with our existing
toolchain after a full review is done, then this wouldn't be a big issue
to me as the full review either will or will not catch it as normal. If
the packages built into the side tag will be moved over to the dist tag
(or simply added as a buildroot override for the dist tag) in order to
bootstrap the new packages then I would be concerned.
fnasser, do you know if you guys need bootstrapping or will things be
built fresh?
Hi Toshio,
Once they are boostrapped in the side tag, they need to be mass-tagged
in the the main tag so we can just rebuild them (I suggest the side tag
uses a different dist tag for clarity). If we would do the same process
in the main tag we'd run into the same problem of having an unusable
maven2 while the bootstrap process is going (it takes a while), which is
just what we want to avoid with the side tag.
We have a working maven2 2.0.4. It is old and no longer builds the new
versions of things we need to build (for eclipse for instance), but it
works and builds the current packages we have. We don't want to risk
and have a broken toolchain for any period of time, so the side tag.
Best regards,
Fernando
--
Fedora-packaging mailing list
Fedora-packaging@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-packaging
