[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: uploaded package handling



Hi,

>>"Dale" == Dale Scheetz <dwarf@polaris.net> writes:

Dale> On Mon, 8 Apr 1996, Bruce Perens wrote:
Bruce> PGP is free, and it lets us have us some confidence that the person who
Bruce> sent the package really is the maintainer. Given the potential
Bruce> for trojan horse attacks, that's important.
 
Dale> This seems somewhat paranoid to me beside being redundant. All
Dale> uploads to master are now done via the maintainers login and
Dale> password. This should be adequate protection from outside
Dale> meddling. As for internal mistakes, it's not clear to me that a
Dale> pgp signature will be a lot of help.  In principle I am opposed
Dale> to such security measures in what is substantially a public
Dale> forum.

	Ah, but pgp signing the changes file that contains the md5
 sums extends beyond master.debian.org.  I never get my packages from
 master (I don't think I'm supposed to), I always get them from a
 mirror site.  It gives me a measure of confidence to check the
 changes file with pgp, and run md5sum on the deb file to ensure that
 the ftp site contains genuine packages.  (It might be a good idea,
 BTW, to have each directory also contain a pgp signed md5sums file,
 for all the packages contained therein. ) 

Dale> Thanks,

Dale> Dwarf
	manoj

-- 
Manoj Srivastava               Systems Research Programmer, Project Pilgrim,
Phone: (413) 545-3918                A143B Lederle Graduate Research Center,
Fax:   (413) 545-1249         University of Massachusetts, Amherst, MA 01003
<srivasta@pilgrim.umass.edu> <URL:http://www.pilgrim.umass.edu/%7Esrivasta/>




Reply to: