[Dev] Compiling our own core packages
g4jc at openmailbox.org
Sun Jan 8 15:48:21 GMT 2017
On 01/08/2017 03:21 PM, fauno wrote:
> Luke <g4jc at openmailbox.org> writes:
>> Hello everyone,
>> Due to some serious disagreements with upstream Arch, we are going to
>> start compiling our own core packages.
>> This is involving upstream bug https://bugs.archlinux.org/task/49979
>> against binutils. It is currently built with HTTP, no GPG signature, and
>> no hash check. They are unwilling to fix the issue and have made several
>> concerning comments.
> wouldn't this mean every package coming from arch would need to be
The packages would still run, but yes in order to be secure they would
have to be rebuilt. It is a serious problem if the toolchain is
compromised. Maybe we could automate this with a build-server?
Also your work on dapkg can help us:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Dev