On Thu, Apr 30, 2015 at 10:08 AM Jeremy <
voldermort@hotmail.com> wrote:
Mathieu Boespflug-4 wrote
> We're not introducing dependencies on dynamically linked system libraries
> that makes tooling hard to distribute. We're not asking users to install
> anything new that isn't already a staple of most developer desktops
My sole concern with this is that git is often not present on build servers,
which may be minimal cloud VMs. Here's what I get when I try to install git
on mine:
# apt install git --no-install-recommends
...
The following NEW packages will be installed:
git git-man libcurl3-gnutls liberror-perl libexpat1 libgdbm3 perl
perl-modules
0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded.
Need to get 10.4 MB of archives.
After this operation, 57.2 MB of additional disk space will be used.
Not unbearable, but not insignificant either.
One possible workflow[1] would be to have a dedicated system that uses Git and GPG to pull the current versions of all packages and verify signatures. That system could then create a snapshot of that information that could simply be downloaded by a build server. In fact, there could even be a public server available providing that functionality, with the caveat that- like today- you'd need to trust that server to not be compromised.
I think this is what Mathieu was getting at when he said:
> Further, users can still opt-out of signature verification if they want to.
Michael
[1] And possible may be too weak a word, as I have an implementation pretty close to this already.