Re: Facilitating external repositories
]] Wouter Verhelst
> Having said that, I do agree with you that we should not allow just
> about anyone to create a repository which will be automatically trusted
> by the whole Debian system. Establishing such a trust chain should,
> indeed, require some vetting by at least one Debian Developer, so that
> malicious packages can be rejected, if needs be.
I've always been a bit unhappy about the idea of using keys to decide
which repositories are trusted or not. The signature is there primarily
to act as an anti-MITM tool. This is a bit similar (or maybe
equivalent) to the difference between authentication and authorization
for access control.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: