[Dev] Compiling our own core packages

Luke g4jc at openmailbox.org
Sun Jan 8 15:48:21 GMT 2017


On 01/08/2017 03:21 PM, fauno wrote:
> Luke <g4jc at openmailbox.org> writes:
>
>> Hello everyone,
>>
>> Due to some serious disagreements with upstream Arch, we are going to
>> start compiling our own core packages.
>>
>> This is involving upstream bug https://bugs.archlinux.org/task/49979
>> against binutils. It is currently built with HTTP, no GPG signature, and
>> no hash check. They are unwilling to fix the issue and have made several
>> concerning comments.
> wouldn't this mean every package coming from arch would need to be
> rebuilt?
>
The packages would still run, but yes in order to be secure they would
have to be rebuilt. It is a serious problem if the toolchain is
compromised. Maybe we could automate this with a build-server?

Also your work on dapkg can help us:
https://git.parabola.nu/packages/libretools.git/tree/src/dagpkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170108/aa490590/attachment.sig>


More information about the Dev mailing list