[mosh-devel] Mosh OS X package build on Travis
John Hawkinson
jhawk at MIT.EDU
Mon Oct 31 06:18:54 EDT 2016
I think we should not lose sight of the fact that mosh is
security-sensitive software in a category unlike many other
software packages, and thus it is worth some inconvenience to
the maintainers that you might not accept in a less sensitive
tool.
Another question: would we rather we be compromised at the same time
when Github or Travis is compromised, or would we rather be
compromised independently at a different time? Feel free to substitute
"if" for "when" if it makes you feel better.
--jhawk at mit.edu
John Hawkinson
john hood <cgull at glup.org> wrote on Mon, 31 Oct 2016
at 00:12:06 -0400 in <cd544460-ff54-d516-7af9-dcb04f0b0b0e at glup.org>:
> The reasons I did this: to get a more externally-visible build for the
> package, and to do the release build on something other than my personal
> OS X machines. Of course, this means we are trading trust in my OS X
> systems for trust in Travis' OS X build environments. I think this is a
> win, any opinions?
>
> Alas, we will not get any kind of repeatable builds out of this, Travis
> constantly updates their build images and we update to current Homebrew
> for dependencies on every build.
More information about the mosh-devel
mailing list