Re: GroundZero (third party deb repository)

To: Christian Leutloff <leutloff@sundancer.oche.de>
Cc: Luis Francisco Gonzalez <luisgh@cogs.susx.ac.uk>, Debian Development <debian-devel@lists.debian.org>
Subject: Re: GroundZero (third party deb repository)
From: fpolacco@icenet.fi
Date: Sat, 14 Feb 1998 19:17:58 +0200
Message-id: <[🔎] 19980214191758.06642@pongo>
In-reply-to: <[🔎] 874t23cfu5.fsf@abraxas.burg.oche.de>; from Christian Leutloff on Fri, Feb 13, 1998 at 11:14:42PM +0100
References: <[🔎] 87ra59notj.fsf@fleming.jimpick.com> <[🔎] Pine.LNX.3.96.980212171747.6316G-100000@monet> <[🔎] 19980213113458.27790@masca> <[🔎] 874t23cfu5.fsf@abraxas.burg.oche.de>

On Fri, Feb 13, 1998 at 11:14:42PM +0100, Christian Leutloff wrote:
> Luis Francisco Gonzalez <luisgh@cogs.susx.ac.uk> writes:
> 
> > How hard would it be to implement this field for official packages? Then,
> > with time dpkg could refuse to install packages without an origin unless
> > some "--force" option is used.
> 
> We shouldn't let dpkg refuse to install other packages in Debian
> format! We *are* encouraging people to use Debian as a base for their
> own distribution and then we put something like that in place!? Please
> don't do something restrictive. On the other hand it should be useful
> to mark packages where they come from.
> 

This "Origin:" field has also a security purpose: to allow installation
of packages certified by some trusted part and to avoid installation of
packages coming from untrusted (or malicious) parties.

This would need a configuration file where the sysadmin will add trusted
parties (to allow) and untrusted (to disallow). The file would have SPI
listed as trusted by default, but treated as any other entry, to let
another distribution use dpkg and .deb even if build in a different
and uncompatible way than debian.

For parties not listed in the configuration file, dpkg should be able to
behave at will of the sysadmin, refusing, accepting or asking depending
on another "default" entry in the config file.

Something like:

===============
Accept:		# origins whose packages will be installed
	SPI
	KDE
	NOVARE
Refuse:		# origins whose packages will be refused
	Kill-a-cop
	Disk-eaters
	Spammers United
Default:	# what to do with packages without or unknown origin
	#refuse
	#accept
	ask
===============

The names listed (and used in the origin field) should be userIDs in the
dpkg's keyring (or any other database of certificates dpkg will use).

This is only a suggestion, just my 2cents, 'cause I'm not dpkg's
maintainer/guru

fab
-- 
| fpolacco@icenet.fi    fpolacco@debian.org    fpolacco@pluto.linux.it
| Líder Minimo del Pluto    -     Debian Developer & Happy Debian User
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
> more than 34 months are needed to get rid of the millennium. [me]

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: GroundZero (third party deb repository)
  - From: Jim Pick <jim@jimpick.com>
- Re: GroundZero (third party deb repository)
  - From: Christian Schwarz <schwarz@monet.m.isar.de>
- Re: GroundZero (third party deb repository)
  - From: Luis Francisco Gonzalez <luisgh@cogs.susx.ac.uk>
- Re: GroundZero (third party deb repository)
  - From: Christian Leutloff <leutloff@sundancer.oche.de>

Prev by Date: Re: How to use libc5-altdev?
Next by Date: Re: autoup.sh & considerations on bail-out scripts
Previous by thread: Re: GroundZero (third party deb repository)
Next by thread: Re: GroundZero (third party deb repository)
Index(es):
- Date
- Thread