* Vincent Fourmond: > Imagine there is a huge security hole in this package. Do you really > think the security team will want to use the *problematic* package to > build a *clean* one ?
The machines we use for building have no untrusted local users, and only restricted networking. Of course, we still lose if it is genuinely backdoored, but this totally unrelated to the circular build dependency. And from a DFSG compliance perspective, I prefer a circular build dependency over bootstrapping from a blob in the source package. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
