> Hi list, > > I was wondering how it works for binary packages when they are compiled: > > Are all binary packages compiled on Gentoo infrastructure after a source > upload from the maintainer, or are there any binary packages compiled on > maintainers computers and then uploaded on Gentoo infra? > > In fact, we had lots of trolls^W discussions about this point with > friends and colleagues who use other distros. And there is a security > question: do we allow uploads from developers without being sure the > binary comes from the corresponding sources? (the maintainer may be > malicious, or his computer may be compromised) The « binary upload » > practice is very common in other distro communities such as Debian. > Therefore I would like to know if we also have this flaw in Gentoo. > (and what do you think about it) > > Thank you, > > JC
Hi Jean-Christophe Bach, The difference between the Debian, etc distros and Gentoo for me is that Gentoo is source distribution first with the tools to use binary packages later. For instance the way I update my servers is I have a tree mirror and a build server. I can track the changes, compile the packages, test them and finally deploy the built binary packages. Debian has tools to make all this happen too but I don't think it's the standard way. Gentoo keeps me close to the source with all the power to mix and mash versions, patches, etc and unties my hands to take control and responsibility over my systems. I take security very seriously too and I would suggest you take a look at the Gentoo Hardened Project. Regards, Dragostin Yanev
