Quoting Klaus Ethgen (Klaus@Ethgen.de): > Hi, > > cause of the recent umask disaster I decided to start a repository for > packages which are insecure in debian distribution. > > You can find this repository at ftp://ftp.ethgen.de/pub/debian-security > (deb ftp://ftp.ethgen.de/pub/debian-security sid unofficial-secured). > > This repository holds secured packages of the insecure debian packages > just without the insecure patch (or the insecurity patched). The full > sources are available to build. At the moment the repository holds > base-files, openssh and procmail. Is this repository signed by a key? Where is that key available? By who is this key signed? Are there people around to speak and guarantee that the repository owner is not providing malicious packages through this "secured" repository? Don't take be wrong. I don't question your honesty even though I certainly do question the technical arguments you brought in this thread and the way you did it (the umsak 'disaster'). But calling a private repository "secured" is certainly something that is very highly debatable. Unless the packages you provide are inspected by the same web of trust that lives around the official Debian repository, I think that potential users should definitely be warned that they're using it at their own risk (the same stands for any private repository, of course, including those I manage myself...:-)).
Attachment:
signature.asc
Description: Digital signature