[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Facilitating external repositories

]] Wouter Verhelst 

> Having said that, I do agree with you that we should not allow just
> about anyone to create a repository which will be automatically trusted
> by the whole Debian system. Establishing such a trust chain should,
> indeed, require some vetting by at least one Debian Developer, so that
> malicious packages can be rejected, if needs be.

I've always been a bit unhappy about the idea of using keys to decide
which repositories are trusted or not.  The signature is there primarily
to act as an anti-MITM tool.  This is a bit similar (or maybe
equivalent) to the difference between authentication and authorization
for access control.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: