I think I tackled this on in another email. Synopsis: mach is
defined
as a secure build environment. If it breaks, we need to fix mach. The
truly paranoid should do QA under a vserver, UML or even better on a
dedicated machine.
ok, no it's not defined that way.
mach is a program to let you build packages in known-consistent build
roots - it is not secure - someone could have an evil package spec file
that can get out of the chroot and destroy you and your system(and your
little dog, too)
mach+djinni - is much more secure - but not mach by itself.
mach was never intended to be so.
-sv