[arch] [arch-dev-public] Sizes of repos and maintainers
Aaron Griffin
aaronmgriffin at gmail.com
Thu Apr 26 22:18:48 EDT 2007
On 4/26/07, bardo <ilbardo at gmail.com> wrote:
> On 4/25/07, Aaron Griffin <aaronmgriffin at gmail.com> wrote:
> > PKGBUILDs would be run through some aur
> > specific pacbuild instance, which will basically just test if the
> > package builds or not. The package is then exposed via the web
> > interface, if built....
>
> Uhm... yeah... and if someone finds a vulnerability in makepkg and
> breaks the server? Basically you're allowing *anything* to be
> executed, so I'd not trust it completely... a read-only virtual
> machine reloaded everytime a new package has to be built?
pacbuild does not build packages. build machines do. The server
would never do anything. build machines pull the PKGBUILD and
satellite files and try to build the package in a chroot environment.
Unless there's a vulnerability in the chroot syscall, I see very
little going wrong there.
More information about the arch
mailing list