Le dim 05/10/2003 à 00:58, Alan Cox a écrit :
> So, in other words I would depend on arbitrary sites to supply
prebuilt
> libraries rather than getting software from trusted community
> repositories? Would those prebuilt libraries be of the same poor quality
Actually if the binary is supplied signed by the trusted community source
its origin isnt actually too important. Did it come froma mirror, did
it come from your ISP web cache - was it in fact several round robin sites.
The truth is you already don't know.
Sure. But a srpm requires someone to document the build process.
Allowing projects to directly provide binaries means you'll soon not be
able to rebuild their stuff because their build scripts will rot in
strange and wonderful ways, depend on undocumented build environments
and anyway even if you manage to build them they will check their
signature at runtime and refuse to run if they're not signed by the
upstream project key.
Which I'm sure the gcc people will love next time they want to release a
new version since instead of pulling a RedHat they'll have to convince
every single project the system use it's time to upgrade their build
tools.
(and I case someone thinks I'm overly pessimistic - this kind of stuff
already exists. I met it. Every single aspect from the broken build
system to the key check is already used by people who thought about
auto-upload before the autoupdate project. And it's not even closed
commercial stuff but pure FOSS)
--
Nicolas Mailhot