On Wed, 2014-06-18 at 13:55 +0200, Jakub Wilk wrote: > Yes, maintaining packages properly takes time. If packaging new upstream > releases is too much effort, why bother uploading it to Debian in the > first place? Actually, I think everything that tries to circumvent the package management system should be considered harmful in the first place... on should probably not allow it in main at all... and all downloader packages should have to go to contrib or non-free. Question however is,... what about packages like Mozilla-stuff or gnome-shell which more or less actively do just that via their plugin mechanisms... Personally I'd like to see them deactivated by default... and plugins being packaged (as many are). > There are a few mechanisms to mitigate downgrade attacks within the > archive: > * Valid-Until fields in the Release files; I still think the time spans are far too long here... can someone please tell me against what I could report a bug (i.e. politely ask for enhancement by making the time span much smaller)? Cheers, Chris.
Description: S/MIME cryptographic signature