On 04/09/2014 06:51 PM, Jean-Christophe Bach wrote: > Hi list, > > I was wondering how it works for binary packages when they are compiled: > > Are all binary packages compiled on Gentoo infrastructure after a source > upload from the maintainer, or are there any binary packages compiled on > maintainers computers and then uploaded on Gentoo infra?
Could be either. The best way to tell is to look at the SRC_URI line in the ebuild. For example, Firefox comes from Mozilla, while dev-lang/ghc[binary] was built by the maintainer. > In fact, we had lots of trolls^W discussions about this point with > friends and colleagues who use other distros. And there is a security > question: do we allow uploads from developers without being sure the > binary comes from the corresponding sources? (the maintainer may be > malicious, or his computer may be compromised) Every Gentoo developer essentially has root on your box. While that may not make you feel better, it means you don't have to worry about it =)
