On Fri, 2003-02-21 at 22:03, Florian Weimer wrote: > Brian May <bam@debian.org> writes: > > > On Sat, Feb 15, 2003 at 07:54:11PM +0100, Florian Weimer wrote: > >> If such things happen, how can you trust the Debian Project to > >> deliever uncompromised software? > > > > It was one isolated event. > > Yes, but more such events will follow. One of it will be the first > big compromise. Currently, I can only recommend Debian privately > because the baptism of fire is still to happen. [...] > Working package and release signature would be more important at this > point, IMHO. While I agree that a working package verification system is needed in Debian (and has to some degree already been implemented with Release file signing and md5sums), I don't see how this applies to this debate. the mICQ issue would not have been avoided with a signed package at all. cheers -- vbi -- Available for key signing in Zürich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro)
Attachment:
signature.asc
Description: This is a digitally signed message part