Heya, Roland Mas <lola...@debian.org> writes: > Mike Hommey, 2011-05-04 07:57:47 +0200: >> Add to that that allowing random people to upload packages to be built >> on Debian build daemons is a recipe to have the buildds compromised. > My initial idea about how one would go about implementing them > involved very strict isolation of the builds (either with LXC or a more > heavy-handed virtualisation system). Not going to be very efficient in > the slow path, but the scope of a compromise would be a temporary > environment that's going to be thrown away in a minute or so and never > reused.
If anyone would have actually read the PPA proposal, they would know that uploads were and are intended to be restricted to DDs and DMs (which can break buildds anyway, if they want) and building should happen in throw-away chroots (not for security, but "don't mess with my system" reasons). Marc
pgpA4XuJtzDNF.pgp
Description: PGP signature