Hi Charles, On 22 November 2015 at 03:15, Charles Plessy <ple...@debian.org> wrote:
> Regarding security and GPG signing, obviously it is essential that a "Debian" > image is configured to only retreive packages from apt sources that are signed > by Debian. But during the build process, while it is a best practice to use > signed apt sources, does it have to be strictly mandatory, or can requirements > regarding reproducibilty and auditability be enough to ensure that an image > does not contain malwares, non-Free software or simply third-party programs > that are not redistributed by Debian ? What should we do about packages that are redistributed by Debian, but needs to be recompiled/repackaged for any reason? For instance, Oracle Compute Cloud Service[1] right now can't boot images compressed with XZ (related to #699381[2]), so we have to rebuild the kernel package changing the kernel compression to GZIP[3]. This is the solely modification the has to be done, but it results in a package that was not built using Debian infrastructure nor is signed by Debian. Is there a possibility of having such package on a cloud image and still call it as "Debian official"? Regards, Tiago. [1]: https://cloud.oracle.com/en_US/compute [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699381 [3]: https://github.com/myhro/debian-linux-kernel-gzip/commit/a498e7a7fe3b0b9057530f1523f4c7604bfab7f1 -- Tiago "Myhro" Ilieve Blog: https://blog.myhro.info/ GitHub: https://github.com/myhro LinkedIn: https://br.linkedin.com/in/myhro Montes Claros - MG, Brasil