[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian 2.2 Release.



Itai Zukerman wrote:
  >WRT the "Origin" field, I haven't seen discussion of a reasonable way
  >to verify the origin.  I mean, what prevents someone from spoofing the
  >origin field?
  >
  >Sorry if this is obvious,
 
Rather than (or as well as) an Origin field there could be a Bugs-to
field.

dpkg-deb could refuse to build a package with bugs@debian.org in that
field if the builder's name was not in the Debian keyring.  (So official
maintainers would have to have the keyring installed.)

It wouldn't stop someone deliberately faking a package, but it would
stop local rebuilds' being wrongly identified as official packages.
dpkg-deb could also refuse to build a package without a Bugs-to
address. Bug reporting packages could then automatically send
reports to the right place.

-- 
Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47  6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                 ========================================
     "Ask, and it shall be given you; seek, and ye shall
      find; knock, and it shall be opened unto you."        
                                  Matthew 7:7 




Reply to: