pkgng package repository tracking security updates
Matthew Seaman
matthew at freebsd.org
Tue Jan 15 09:13:57 UTC 2013
On 14/01/2013 22:44, n j wrote:
> One thing to think about would be the option of port maintainers uploading
> the pre-compiled package of the updated port (or if the size of the upload
> is an issue then just the hash signature of the valid package archive so
> other people with more bandwidth can upload it) to help the package
> building cluster (at least for mainstream architectures). The idea behind
> it being that the port maintainer has to compile the port anyway and pkg
> create is not a big overhead. The result would be a sort of distributed
> package building solution.
Sorry. Distributed package building like this is never going to be
acceptable. Too much scope for anyone to introduce trojans into
packages. Building packages securely is a very big deal, and as recent
events have shown, you can't take any chances.
Cheers,
Matthew
More information about the freebsd-questions
mailing list