Hi,
Le 2014-05-04 15:04, Ansgar Burchardt a écrit :
Hi,
Cyril Brulebois <k...@debian.org> writes:
I think I already proposed pushing d-i master to some other machine
with less liberal access than alioth's. Would that help? If so, which
machine? dillon? Would pulling from there over https help? Be
sufficient? Otherwise, what else?
I think the buildds building stuff for the offical archive should only
do that. This includes not building for other archives (ports) or
daily
images for d-i (no matter the source).
IMHO, if we want to initiate a change there, we should at least say why
it
is so important to separate those builds. From my POV, the only
difference
between the content of the Debian archive and an alioth repository is a
GPG
signature. Having that in mind, would it be acceptable to require a
GPG-signed
tag to initiate a build from? RedHat has been doing that for years and
didn't
hear about any major issue with that. Besides, we can also require that
buildds
building for d-i are configured with throwaway chroots (but i think
this became
the default now?).
The problem is not about running blindly code coming from elsewhere. We
are
already doing that (DDs can upload anything to build on buildds... they
can
also upload/test exploits). So, we have to find better arguments before
changing
this workflow and propose a sustainable alternative plan to build d-i.
Maybe they could be built on dedicated buildds that are not building
packages for the main archive? Though that would require more
hardware.
This doesn't seem doable for all architectures.
Or run the daily d-i build as a job on the porter boxes?
Can we please define what porter boxes are for and stick to that? They
are
not "available hardware to do any stuff".
Regards,
--
Mehdi
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org