Michael Banck wrote: > > Assuming that compromised mirrors get quickly identified by people using > signatures, and buildd packages having to be uploaded directly, the > amount of compromised packages this way is probably small, so they can > be rebuilt using packages from another mirror, after the build logs have > been inspected to see whether compromised packages have indeed been > used. >
Your last point really depends on how the packages were compromised, so it is possible that a compromised package is used without a chance to find it. That means that any package built on that buildd since the last mirror push would have to be dropped (or in case it was already uploaded to the archive, rebuild). > > Michael Regards, Raphael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
