On 01/08/2017 03:21 PM, fauno wrote: > Luke <[email protected]> writes: > >> Hello everyone, >> >> Due to some serious disagreements with upstream Arch, we are going to >> start compiling our own core packages. >> >> This is involving upstream bug https://bugs.archlinux.org/task/49979 >> against binutils. It is currently built with HTTP, no GPG signature, and >> no hash check. They are unwilling to fix the issue and have made several >> concerning comments. > wouldn't this mean every package coming from arch would need to be > rebuilt? > The packages would still run, but yes in order to be secure they would have to be rebuilt. It is a serious problem if the toolchain is compromised. Maybe we could automate this with a build-server?
Also your work on dapkg can help us: https://git.parabola.nu/packages/libretools.git/tree/src/dagpkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
