Fabrizio Polacco <fpolacco@icenet.fi> writes: > Instead of discussing if we should or not _allow_ such repositories, we > should create a system that would permit users to notice when they are > installing "unofficial" packages _before_ they do that. > > What I would like to see is a version of dpkg (not dselect or deity) > that checks a "signature" (or a sort of) on each package and inform > users of the "unofficiality" of each package, asking permission to > install as root. Such dpkg should not only accept Debian's signature, > but also signatures from some third party (for example a commercial > distribution derived from Debian and that has a commitment with us), or > packages built directly by the user itself. There is a system for checking after the fact - check out: http://dpkgcert.jimpick.com/ Of course, it's be running for a whole month and a half and nobody has used it other than myself. Oh well. :-) If there is a problem with people filing bug reports for non-Debian packages (with the same name) in the Debian bug system, then it might be necessary for the bug system to also require the maintainer name of the package, and a verified package signature. But that seems like an awful lot of work -- especially when the problem hasn't occurred yet. I don't want to impose any rules on the contributors to the unofficial repository, but if they are making .deb packages - I'd bet they are going to be fairly respectful of Debian rules anyway. Why tick off your users? Cheers, - Jim
Attachment:
pgpt29asjh3uG.pgp
Description: PGP signature