Re: Status of new packages in Incoming?
- To: debian-devel <email@example.com>
- Subject: Re: Status of new packages in Incoming?
- From: Raul Miller <firstname.lastname@example.org>
- Date: Mon, 27 Sep 1999 22:16:52 -0400
- Message-id: <19990927221652.B23177@usatoday.com>
- In-reply-to: <19990927112232.A28684@molehole>
- References: <14318.571.288112.596601@bolero> <37EE4F68.F5A80EC8@hermes.cam.ac.uk> <19990926161932.A27166@glitch.snoozer.net> <37EE9EE4.A15B569C@hermes.cam.ac.uk> <19990926224434.B18583@kitenet.net> <19990927112232.A28684@molehole>
On Mon, Sep 27, 1999 at 11:22:32AM -0500, Steve Greenland wrote:
> I think the key difference is that if some one screws with the BTS or
> the Debian web site, it's not going to *me* any harm during the time
> it takes to discover and undo the damage. If someone installs a bad or
> malicious libc6 in the archive, a buncha people could get seriously
> screwed. Depending on mirror cycles and timing, I suspect it could take
> *days* to completely correct the damage in the archive and its mirrors,
> and who tells how long for the victims to correct their local situation.
Which implies that we should validate packages against developer's key
before install, and that we should have some kind of list indicating
which developers are working on which package for which architecture
which is maintained under tighter control than the mirrors.
We probably don't want to forbid install if package is signed by the
wrong key -- but we want to do everything we can to help the sysadmin
examine the package under that circumstance.
Also, we don't want to lock people in to just the Debian keyring.
If they're getting packages from somewhere else they should be able to
start trusting that source, if that's what they want. That, and people
should be able to build up reputations.