[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Status of new packages in Incoming?

Raul Miller wrote:
> Which implies that we should validate packages against developer's key
> before install, and that we should have some kind of list indicating
> which developers are working on which package for which architecture
> which is maintained under tighter control than the mirrors.
> We probably don't want to forbid install if package is signed by the
> wrong key -- but we want to do everything we can to help the sysadmin
> examine the package under that circumstance.

As I have already posted, the situtation you are talking about is the status
quo. And as far as I know nobody has gotten a trojan package in to Incoming,
so I'm confused why you are try to fix what's not broken.

I hope we get signed packages RSN. We need them badly, for completly
unrelated reasons. 

However, I am firmly opposed to any system that makes it harder to do NMU's,
and what you're proposing seems to do that.

see shy jo

Reply to: