'Twas brillig, and P. Christeas at 27/09/10 08:00 did gyre and gimble: > On Sunday 26 September 2010, herman wrote: >> BTW, I once calculated (test plus extrapolation) how long it would take >> to rebuild every package in Mandriva on a low end 2 GHz Celeron server >> that I had available and it came to about 80 days. > > I, frankly, don't care. > > See, that would be the final packaging for a release. In the meanwhile, we > could exchange our Cauldron packages in a less-secure constellation of build > machines. If we admit that cauldron rpms are just built by the packagers (but > also signed etc.), then we take a lot of load off the "release" build cluster.
I really don't like this. It really does not fit in with things. This would mean that a release would actually require a full rebuild for a start (this doesn't happen currently). And it also assumes that any security compromised package build by a compromised cauldron user in no way impacts the package repository that will ultimately be used to build the distro itself. Personally I want my cauldron packages to be just as secure as my release packages. After all I visit web pages, enter online banking details, connect to VPN and SSH etc. etc. all via cauldron install. I really do not thing that any security model should differentiate between devel & release from a "required security level" perspective. Col -- Colin Guthrie mageia(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited [http://www.tribalogic.net/] Open Source: Mageia Contributor [http://www.mageia.org/] PulseAudio Hacker [http://www.pulseaudio.org/] Trac Hacker [http://trac.edgewall.org/] _______________________________________________ Mageia-dev mailing list [email protected] https://www.mageia.org/mailman/listinfo/mageia-dev
