At 17:04 Uhr +1000 04.04.2002, Jeremy Higgs wrote: >On 3/4/02 9:34 PM, "Max Horn" <[EMAIL PROTECTED]> wrote:
[...] >Any news on getting fakeroot working on Darwin/MacOS X? No. >As I understand it, >if we were able to use fakeroot, we could utilise the SF Compile Farms, >correct? If we were, they could be used to build the packages for the binary >distro, instead of laying it all upon you, Max (and others). Nope. I talked about this with some people. It wouldn't be possible to build the bin dist there, the security risk is to big. Just thinkg, ten thousands of people have access to these machines. The risk is much higher on there that there will be a security breach eventually. In that case, the entier bin dist could potentially be tainted. Not good. As a consequence, we could still use it as a test bed to build the full stable distro, to check whether it works all OK (like, no missing dependencies, like those that happend several times recently. Anyway, we don't need fakeroot for this anymore. I am now officially co-admin of the SourceForge Mac OS X compile farm machines, and have root access on both of them. I have setup box #2 with Fink already, and many packages are already installed (I am compiling more as time goes one). >Just to add to that, if we *could* get fakeroot working, an idea would be to >automatically build packages that are added into CVS, That not that easy to do, plus I doubt it would be very useful. > however some things >should probably come into effect before that would be viable: > >1) Signing of packages by maintainers/commiters (GPG, PGP, etc). I'm not >sure how that would occur, but since you need SSH access to commit now >anyway, this might negate it. This would happen by people signing the .debs they make before sending them (including the .sig) to somebody who is the maintainer. But this would require us to establish keys, i.e. everybody allowed to submit packages would have to have a key signed by the other team members. Plus we'd want to have a central "Fink" key, which probably I would manage for now. BUT the crucial step is establishing this. You can't just sign each others keys. The risk is too high for them being tampered. The most secure solution is to meet in person, exchanging keys via a local connections (floppies, etherenet link, whatever). The second best is to snail mail floppy disks. In addiiton, one would verify the key signatures via phone (i.e. once you get the floppy disk, you call the sender, and ask him to verify the ID of the key you received). Once that happend you can sign the others key, and send the signed key back to him. > >2) Add another distro, ala Debian. I find the Debian system works quite >well, although the releases are a bit slower than what you would want... >However, the idea of having unstable as bleeding-edge would be good, and >then packages that receive positive feedback are moved to 'testing', and >then to stable. This would ensure that we don't have problems with the >packages, like we do every now and then... I have explained it before, but let me repeat: stable from point release (i.e. 0.3.2a currently) = Debian stable stable from CVS = Debian testing unstable from CVS = Debian unstable Cheers, Max -- ----------------------------------------------- Max Horn Software Developer email: <mailto:[EMAIL PROTECTED]> phone: (+49) 6151-494890 _______________________________________________ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
