From owner-freebsd-ports@FreeBSD.ORG  Wed Mar 27 19:15:57 2013
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id C380C71E
 for <freebsd-ports@freebsd.org>; Wed, 27 Mar 2013 19:15:57 +0000 (UTC)
 (envelope-from decke@bluelife.at)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com
 [IPv6:2607:f8b0:4003:c01::22c])
 by mx1.freebsd.org (Postfix) with ESMTP id 8A3628B4
 for <freebsd-ports@freebsd.org>; Wed, 27 Mar 2013 19:15:57 +0000 (UTC)
Received: by mail-ob0-f172.google.com with SMTP id tb18so8590139obb.3
 for <freebsd-ports@freebsd.org>; Wed, 27 Mar 2013 12:15:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bluelife.at; s=google;
 h=mime-version:x-received:sender:x-originating-ip:in-reply-to
 :references:date:x-google-sender-auth:message-id:subject:from:to:cc
 :content-type; bh=QTg4XjPdOfBiyJK4Iu2sFHyMy5pXmWYetKjkq44w3so=;
 b=W0Dv6TOg9mkUtLx+bZ/ngiz5tBo2L5D2oEIxndFF94bBzheLwVX6uQk48uQ2gBswQU
 C5Tl9ggXF3O9T/pJIo26medwbb7Ryajb7e6kyd288BqqL5f/G7epQMissydfiJbDIE35
 xUrF6bCQxaq3ZRcBI6n1IFA9bIAD42Mn9JGbk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:x-received:sender:x-originating-ip:in-reply-to
 :references:date:x-google-sender-auth:message-id:subject:from:to:cc
 :content-type:x-gm-message-state;
 bh=QTg4XjPdOfBiyJK4Iu2sFHyMy5pXmWYetKjkq44w3so=;
 b=hOhhf2QutEpGctrsoccWtgJ/Rvk/0cD7CXCu60l3diOELMm/bdFlzBAF+lhjPtEv09
 N7x9Q5hYzHU5vGFJ6m+iGRd7vinPMJ6tzfvHU7Z7EO3a166OouraN7F19djWK+jJnZrW
 srYBi0ISX4QIKGx22rgliZTx1xgpKaqQJ+kp/+EI7gVZea4eH2ClHQKBicOalVUP02EX
 W+NtkeLsfAq+A5Xcwnf/dV50yR0S9BeSLToxUOfs557876S3nRVmjkrWBmCNtmMLVDGV
 hf/qdPPJ5FQml3TWwd21tL6d/odvalkSWGIpm3z3Uap4I8QrLCXhTeuMmOezoVXH92cx
 c6Qw==
MIME-Version: 1.0
X-Received: by 10.182.97.5 with SMTP id dw5mr4253904obb.91.1364411757058; Wed,
 27 Mar 2013 12:15:57 -0700 (PDT)
Sender: decke@bluelife.at
Received: by 10.76.99.114 with HTTP; Wed, 27 Mar 2013 12:15:56 -0700 (PDT)
X-Originating-IP: [2001:470:9bf5:200:21c:23ff:fe94:8591]
In-Reply-To: <CAD2Ti29S8i+GSFFV7O8JSKsk3StkfHWK0nE_JE4CgFWuOpFxaw@mail.gmail.com>
References: <CAD2Ti29CQ5uchftP63niDB8ORLW7CCh+1qBco=P44=wtXhP7iA@mail.gmail.com>
 <20130326082325.GW2198@droso.net>
 <CAD2Ti2-3eTQ0wc-V8NLgkVANGcdigRjL5m9h_2eGFw4G=NQK5w@mail.gmail.com>
 <CAE-m3X1sPLUywnNnvbm50i=t0L7LGVK5woN8OexqUA0PMuEh5Q@mail.gmail.com>
 <CAD2Ti29S8i+GSFFV7O8JSKsk3StkfHWK0nE_JE4CgFWuOpFxaw@mail.gmail.com>
Date: Wed, 27 Mar 2013 20:15:56 +0100
X-Google-Sender-Auth: iQ2uod00olIcnjptLTFz0yTnQvs
Message-ID: <CAE-m3X29GhObconj0V7wxhzjh0n5jHUtqnBvd8t0euKvSOn_Hg@mail.gmail.com>
Subject: Re: Status of packages
From: =?ISO-8859-1?Q?Bernhard_Fr=F6hlich?= <decke@FreeBSD.org>
To: grarpamp <grarpamp@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmnYewccOdlalCrDTyH2XAwbk0lI1H/762xtkyZbGeYSSGU+83N9tIfkRBnfBn0g2X/pUXv
Cc: freebsd-ports@freebsd.org
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2013 19:15:57 -0000

On Wed, Mar 27, 2013 at 5:37 PM, grarpamp <grarpamp@gmail.com> wrote:
>>> It's nice to see something like redports. It can be helpful to those using
>>> ports to diagnose their local builds against the output of a formal
>>> sandbox
>>> service for the project. It would be cool if the logs, build hiers and
>>> packages
>>> from such a buildbot were accessible. They'd obviously always be in flux
>>> but
>>> still useful to see.
>
>> Redports is very bad for providing packages because of all the frequent
>> changes and the "chaotic nature" of such a system. Additionally the security
>> considerations made clear that redports should never provide any binary data
>> to users to minimize risk in case of a potential security incident.
>
> 'formal/project/service' and 'flux' were attempts at covering this. Another
> partial example might be pointyhat, the logs are viewable, but not the
> output file trees.
> The 'security' aspect would just seem whether the builds come
> from the main repo and are built in a pretty automated sandbox, or
> from joe's working tree in their own slush account.

No. The security concerns are that some "attacker" could infect binaries
and add dangerous code if he manages to break out of a jail or place
malicious code in some packages that are used as dependencies. Due to
the nature of redports many jobs by a lot of people are build in parallel and
ports depend on each other so you cannot trust the machine anymore and
the only way to proceed would be by wiping the box and restarting from
scratch. Since the packages are not shared accross multiple machines nor
made available to users the risk is that the machine has to be wiped but it
could never infect any user.
In addition to that redports does a lot to make sure that user modified
packages are not reused and environments are cleaned after each build
but nobody says it's impossible.

-- 
Bernhard Froehlich
http://www.bluelife.at/