On Saturday 02 September 2006 02:41, Russ Allbery wrote: > martin f krafft <[EMAIL PROTECTED]> writes: > > The reason I am pushing for this is because of two of my clients, who > > have been wanting to use Debian for three years now but consciously > > decided against it, because it is not guaranteed that the sources and > > the binaries in our archives correspond for all architectures. They are > > well aware that trojans can still exist, but it's an entirely different > > thing whether they exist in source and hence in all architectures (which > > would result in some serious negative feedback or even revocation of > > upload rights), or just in one of the binaries and hence would be much > > harder to detect/analyse. > > I honestly think the security argument for doing this is silly.
True, and Martin's reasoning is about consistency across the architectures, not that much after security, as I read it. > However, that does not mean I think it's a bad idea. I actually think > it's a good idea, but for a somewhat different reason. Every single time > we get ready to release stable, someone builds every package in the > distribution and then encounters a bunch of FTBFS errors, particularly for > arch: all packages. Many of those errors were always there and were never > detected because we don't build arch: all packages anywhere outside the > maintainer's system. Fortunately there are lots of people running personal autobuilders and reporting FTBFS's lately, even in the arch:all packages. -- pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu> fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
