Re: uploaded package handling
Hi,
>>"Dale" == Dale Scheetz <dwarf@polaris.net> writes:
Dale> On Mon, 8 Apr 1996, Bruce Perens wrote:
Bruce> PGP is free, and it lets us have us some confidence that the person who
Bruce> sent the package really is the maintainer. Given the potential
Bruce> for trojan horse attacks, that's important.
Dale> This seems somewhat paranoid to me beside being redundant. All
Dale> uploads to master are now done via the maintainers login and
Dale> password. This should be adequate protection from outside
Dale> meddling. As for internal mistakes, it's not clear to me that a
Dale> pgp signature will be a lot of help. In principle I am opposed
Dale> to such security measures in what is substantially a public
Dale> forum.
Ah, but pgp signing the changes file that contains the md5
sums extends beyond master.debian.org. I never get my packages from
master (I don't think I'm supposed to), I always get them from a
mirror site. It gives me a measure of confidence to check the
changes file with pgp, and run md5sum on the deb file to ensure that
the ftp site contains genuine packages. (It might be a good idea,
BTW, to have each directory also contain a pgp signed md5sums file,
for all the packages contained therein. )
Dale> Thanks,
Dale> Dwarf
manoj
--
Manoj Srivastava Systems Research Programmer, Project Pilgrim,
Phone: (413) 545-3918 A143B Lederle Graduate Research Center,
Fax: (413) 545-1249 University of Massachusetts, Amherst, MA 01003
<srivasta@pilgrim.umass.edu> <URL:http://www.pilgrim.umass.edu/%7Esrivasta/>
Reply to: