Comment 4 for bug 238370

Right, there is a long going effort to allow the current, already distributed, infrastructure to support 'external' buildds. Read 'external' as machines/client outside out trusted network.

Technically speaking, it would be quite easy to support that, including the its natural implications as dedicated per project/ppa buldds. However it incurs in some possible security issues that can't be easily sorted.

For instance, as an user of PPA-hosted packages, the most important assumption that I can make is that "the binaries being installed in my computer *were* indeed built from the corresponding sources hosted in the same PPA and nothing else". That, IMHO, is what encourages users to actually *prefer* packages built in the PPA system than other ones built in somewhere else, who knows where.

You know, better than me, that poisoned binaries aren't any difficult to build or distribute, but they are very hard to be identified, due to the very trusted nature of our package system. When we allow 'external' buildds, we will be mixing trusted (at least, easier to trust) packages with some other that must be very carefully audited before being trusted.

That said, thanks for you report, that's indeed a challenge that we want to face and thus improve the throughput of the launchpad buildfarm with the help of our community. Let's keep this bug report open to track progress on this area.