Re: Debian 2.2 Release.
Itai Zukerman wrote:
>WRT the "Origin" field, I haven't seen discussion of a reasonable way
>to verify the origin. I mean, what prevents someone from spoofing the
>origin field?
>
>Sorry if this is obvious,
Rather than (or as well as) an Origin field there could be a Bugs-to
field.
dpkg-deb could refuse to build a package with bugs@debian.org in that
field if the builder's name was not in the Debian keyring. (So official
maintainers would have to have the keyring installed.)
It wouldn't stop someone deliberately faking a package, but it would
stop local rebuilds' being wrongly identified as official packages.
dpkg-deb could also refuse to build a package without a Bugs-to
address. Bug reporting packages could then automatically send
reports to the right place.
--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"Ask, and it shall be given you; seek, and ye shall
find; knock, and it shall be opened unto you."
Matthew 7:7
Reply to: