On 4/26/07, bardo <[EMAIL PROTECTED]> wrote: > On 4/25/07, Aaron Griffin <[EMAIL PROTECTED]> wrote: > > PKGBUILDs would be run through some aur > > specific pacbuild instance, which will basically just test if the > > package builds or not. The package is then exposed via the web > > interface, if built.... > > Uhm... yeah... and if someone finds a vulnerability in makepkg and > breaks the server? Basically you're allowing *anything* to be > executed, so I'd not trust it completely... a read-only virtual > machine reloaded everytime a new package has to be built?
pacbuild does not build packages. build machines do. The server would never do anything. build machines pull the PKGBUILD and satellite files and try to build the package in a chroot environment. Unless there's a vulnerability in the chroot syscall, I see very little going wrong there. _______________________________________________ arch mailing list [email protected] http://archlinux.org/mailman/listinfo/arch
