[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress



On Mon, 2012-02-20 at 19:50 -0500, Michael Gilbert wrote:
> But anyway, I think to get anywhere you'll need to help get Debian
> policy 2.2.1 clarified for these kind of conditions.  Then you'll be
> able to submit bugs with appropriate RC severity so they'll have to be
> handled.
Phew,.. changing the policy is a terrible quest ;)

And honestly, I don't think that all that is necessary can be coded in a
policy.
Especially as much is a best effort thing... like getting a trust path
to upstream, or if this is not possible, download the sources from
multiple different computers, etc.

And we have many cases, where maintainers would really have to patch
software, to prevent it from possibly doing nasty things (take all the
packages with AppStore like stuff as an example, Mozilla Add-Ons, GNOME
Shell Extensions, etc.)

Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Reply to: