Web lists-archives.com

Re: Tainted builds (was Re: usrmerge -- plan B?)




On Sun, Dec 02, 2018 at 04:28:46PM -0800, Russ Allbery wrote:
Guillem Jover <guillem@xxxxxxxxxx> writes:

Whether a package is being built within a chroot or not, has nothing
to do with how that installation is being managed IMO. It feels a bit
like recording what's the form factor of the machine being run on? :)

I think what people are trying to get at here is "was the package built on
a system with packages other than build dependencies plus build-essential
plus essential/required packages installed."

I do think this would be very useful to track, but it's a bit complicated
to work out, and there are probably a few other exceptions that would need
to be in place.

And you'd still have cases like "someone installed something in /usr/local/bin" and such. Might be easier to just track whether it was built in a dsa-maintained autobuilder, so a human can identify potential local build environment issues as a possible explanation for unexpected behavior because that's really the objective. Might also not be worth trying to do that vs existing ways to find out where the package was built.