[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Facilitating external repositories

]] Wouter Verhelst 

> Having said that, I do agree with you that we should not allow just
> about anyone to create a repository which will be automatically trusted
> by the whole Debian system. Establishing such a trust chain should,
> indeed, require some vetting by at least one Debian Developer, so that
> malicious packages can be rejected, if needs be.

I've always been a bit unhappy about the idea of using keys to decide
which repositories are trusted or not.  The signature is there primarily
to act as an anti-MITM tool.  This is a bit similar (or maybe
equivalent) to the difference between authentication and authorization
for access control.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: