On Mon, Mar 14, 2005 at 11:11:55AM +0100, Sven Luther wrote: > On Mon, Mar 14, 2005 at 02:12:48AM -0800, Thomas Bushnell BSG wrote: > > Where human delay did come into play was in getting the xfree86 mess > > cleaned; in theory it should have taken one or two days, but in > > practice it took much longer. > > Why not fully eliminate the human factor ? Ubuntu does automated build from > source only uploads, the package sources are built and signed by a developer, > autobuilt on all arches, and i don't believe they are individually signed > after that.
Ubuntu is in the happy situation of having a system in a DMZ - i.e. not network-accessible in general without having to get through other barriers first - with very few login accounts and full-time maintenance on which to do auto-signing, and similar systems to act as buildds. Debian isn't remotely in that position. Auto-signing requires a great deal of care and thought before blindly enabling it, and certainly it must not happen on a generally network-accessible machine and it probably shouldn't happen while the buildds remain generally network-accessible. We were in a bad enough situation during the server compromise when it was discovered that some developers had inadvertently left their private GPG keys on network-accessible machines with lots of login accounts. Surely you acknowledge that as a mistake by those developers, and not something we should be encouraging by making it an essential part of our infrastructure? Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
