On Tue, Feb 02, 2010 at 07:15:01PM +0100, Helge Kreutzmann wrote: > Upgrading a system is a delicate process. Since there is no DSA I've to > rely on www.debian.org that everything is ok. A very basic check is > the version number. For this update it was *hard* to check it. That source isn't trustable given that it's not secured in any way. What's trustable is the trust chain to the update, including the sources. So you're of course free to fetch the sources and to check them against snapshots.d.o (iff there's a way to verify the latter, as the old versions are only kept for a few days post-point-release). Apart from that all we'd need would be a "correction" wml tag that actually takes and displays a version. It'd be easy to generate the wml input based on that, given that it's template-based[1] already. Kind regards, Philipp Kern [1] http://git.debian.org/?p=debian-release/release-tools.git;a=blob;f=scripts/TEMPLATE.wml;h=ffc36fbd8f836fa558f4c28780c2a0701962e80d;hb=HEAD -- .''`. Philipp Kern Debian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:phil@0x539.de Wanna-Build Admin `- finger pkern/key@db.debian.org
Attachment:
signature.asc
Description: Digital signature