Re: RPM

To: Bruce Perens <bruce@pixar.com>
Cc: meierrj@frc.com, debian-user@lists.debian.org
Subject: Re: RPM
From: Nicolás Lichtmaier <nick@Feedback.com.ar>
Date: Wed, 2 Apr 1997 17:57:49 -0300 (ARST)
Message-id: <[🔎] Pine.LNX.3.95q.970402175246.1195A-100000@newton>
In-reply-to: <[🔎] m0wCTvn-00Idf6C@golem.pixar.com>

On Wed, 2 Apr 1997, Bruce Perens wrote:

> Unfortunately, I feel that Debian must bear the cost of certification
> of maintainers and original authors. Unless I can tell someone I know
> where a program came from, no other security procedures can be trusted
> to have any effectiveness whatsoever.

 Yes, they are. Testing, and revising developers diffs. If you could check
package MD5 (someday we'll be able to do this =) ), you'll only need to
see the diff.gz to check for security problems (Asuming we can trust the
mainstream developer).
 The proble left is: The .deb uploaded can be generated by a source not
included in the source package. It would be great if gcc placed some kind
of signature in binaries... but it doesn't... So.. what can we do? I say:
let's make all developers upload only the source versions of their
packages! An automated script can compile all the packages in some trusted
environment.

-- 
Nicolás Lichtmaier.-  | Try visiting #debian in Undernet (us.undernet.org)
nick@feedback.com.ar  | The channel of the debian developers =)

Reply to:

Follow-Ups:
- Re: RPM
  - From: Paul Wade <paulwade@greenbush.com>

References:
- Re: RPM
  - From: bruce@pixar.com (Bruce Perens)

Prev by Date: Re: The ultimate fate of Debian
Next by Date: Re: The ultimate fate of Debian
Previous by thread: Re: RPM
Next by thread: Re: RPM
Index(es):
- Date
- Thread