martin f krafft wrote: > also sprach Henning Makholm <[EMAIL PROTECTED]> [2006.08.31.1641 +0200]: >> Please read up on the regular (every few months) discussions about >> "source-only uploads" in the list archives. (Capsule summary: yes, >> it would be easy to do, but there is no consensus that it would be >> *desirable* to do so). > > For instance: http://lists.debian.org/debian-devel/2006/07/msg00544.html > > You say people have argued against source-only uploads, but I think > source-only is actually not what we are talking about. The subject > line says: "recompile...". > > Whether or not requiring binary packages in the upload as a QA sort > of measure is a good thing is a tangential debate. > > I would like to know why we can't just discard those binaries and > rebuild them on trusted machines. Then we get the best of all > worlds.
This is really a nice idea. It is *not* reasonable to do this until we get the long awaited redundancy in the i386 buildd system. Currently there is one buildd with one maintainer, unless something has changed since http://release.debian.org/etch_arch_qualify.html was last updated. (Has something changed? That looks out of date, but I don't know who to ask.) It's not reasonable to rely on one single machine like that: apart from the mess that would happen if it went down or the person uploading its packages took a week's vacation, a compromise of that one machine will root every i386 Debian system. (I hope it's at least as secure as ftpmaster, but two single points of failure are worse than one.) Redundancy is needed for alpha, amd64, hppa, arm, and ia64 as well, according to that chart. -- Nathanael Nerode <[EMAIL PROTECTED]> Bush admitted to violating FISA and said he was proud of it. So why isn't he in prison yet?... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]