On Mon, Sep 27, 2010 at 5:31 AM, Buchan Milne <[email protected]> wrote: > > IMHO, you should also keep the public keys of tarball signers. Please have a > look at the samba SPEC file, which does verification of the tarball signature > during %prep. In conjunction with the existing build tools (repsys/mdvsys > etc.), a single command ('mdvsys update samba xxx') currently (usually) > updates and submits the package, and building it at any time validates the > source tarball. > > Actually, I still need to petition other security-sensitive packages which > have previously said that tarball signing is irrelevant (due to the problem of > first establishing trust of public keys etc.). > For the initial launch of Mageia, I understand the benefits of having a trusted build system in a controlled data center. Its safe, simple and when the initial deployment issues arise, physical access to the servers may be required.
However, if a system is devised which allows known/trusted contributors to provide good hardware and bandwidth for package building, I'd be very willing to participate. :-) Thanks again, Rick _______________________________________________ Mageia-dev mailing list [email protected] https://www.mageia.org/mailman/listinfo/mageia-dev
