* Jeremiah Mahler (jmahler@pacbell.net) wrote: > On Mon, Jun 10, 2002 at 08:45:12AM -0400, Stephen Frost wrote: > > Bad idea from a security standpoint, of course. > > Not everyone is forced to use the packages contributed from the public. > There can still be packages approved by official developers. A user > could decide to only use the packages marked as approved and they would > be as safe as Debian is now. I don't believe it would be in the best interest of our users for Debian to use its limited resources to host an essentially open FTP site where anyone can put files which happen to have a '.deb' extension. > > "Specific people" being the entire set of Debian people, which is a > > pretty decently sized set of people. > > > > What about the situation where a package is broken and the maintainer > is unreachable. In the model described in the article anyone could > fix the package (assuming it is not a critical package) but it would > be marked as new so that people who only want safe packages would > know to stay away from it. Then, if the maintainer comes back he/she > could check the package and approve it so that it could now be used > by people who want safe packages. If there is a serious bug in a package and the maintainer is unavailable the NMU system can be (and often is) used. That's what it's there for. Maintainers who know they're going to be unavailable even encourage it by letting other maintainers know when they're going to be unavailable. Additionally, for stable (and testing maybe?), security bugs are handled by the security team. Stephen
Attachment:
pgphaIcYI9fXm.pgp
Description: PGP signature