Date: Tue, 15 Jan 2013 09:13:43 +0000 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-questions@freebsd.org Subject: Re: pkgng package repository tracking security updates Message-ID: <50F51DC7.4030300@freebsd.org> In-Reply-To: <CALf6cgbf3Vn2TBVx8FhvyjZhBBqA4Q55kTQTZywtCC0uxzuWoA@mail.gmail.com> References: <CALf6cgYY0LYnUb_Yo3XZZ=-tsXoyJ=GUic8KtdcoaVWMF8XUqQ@mail.gmail.com> <50F403C6.1030705@gmail.com> <50F4130A.5050105@freebsd.org> <CALf6cgai%2BcGs_g1ekh_tdXt_7bDT4ETyEB_iAJqst-nz-srHvg@mail.gmail.com> <50F4197E.8050003@infracaninophile.co.uk> <CALf6cgbf3Vn2TBVx8FhvyjZhBBqA4Q55kTQTZywtCC0uxzuWoA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14/01/2013 22:44, n j wrote: > One thing to think about would be the option of port maintainers uploading > the pre-compiled package of the updated port (or if the size of the upload > is an issue then just the hash signature of the valid package archive so > other people with more bandwidth can upload it) to help the package > building cluster (at least for mainstream architectures). The idea behind > it being that the port maintainer has to compile the port anyway and pkg > create is not a big overhead. The result would be a sort of distributed > package building solution. Sorry. Distributed package building like this is never going to be acceptable. Too much scope for anyone to introduce trojans into packages. Building packages securely is a very big deal, and as recent events have shown, you can't take any chances. Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50F51DC7.4030300>