Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: "Benji Weber" <b.weber@xxxxxxxxxxxxx>
  • Date: Thu, 1 Nov 2007 09:25:11 +0000
  • Message-id: <d6b310ce0711010225i42a3ea26m783fd804b628f1f2@xxxxxxxxxxxxxx>
On 01/11/2007, Aniruddha <mailing_list@xxxxxxxxx> wrote:
Off course it it is doable (see Debian/Gentoo/FreeBSD/Ubuntu) who
support up to 22000 packages. the only question is how ;)

Partly because they have a lot of people producing the packages, and
if One were cynical One could suggest because they don't do so much
security & quality checking compared to RH/SUSE etc whose businesses
depend on it.

You are trusting the packagers from Gentoo/Ubuntu etc because they are
associated with the project, not because you know that they are in
fact doing their job properly. That is the point, you choose who you
wish to trust. The valid problems here are

1) There are not separate keys for each repository - this is on the
roadmap to be fixed by year end.
http://en.opensuse.org/Build_Service/Roadmap

2) There is no way to tie a packager's key to peer ratings/comments
etc. This will be easier to implement once the user database which
stores identity & other information about users & packages is ready.

We can make it easier to make an informed decision about who One
wishes to trust, but the choice about who to trust still has to be up
to you.

Making home: repositories harder to add doesn't solve any problem, and
anyone can make use of the one click install mechanism for
repositories that arn't even in the build service.

--
Benjamin Weber
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups