Re: Facilitating external repositories
On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote:
> ]] Wouter Verhelst
> > Having said that, I do agree with you that we should not allow just
> > about anyone to create a repository which will be automatically trusted
> > by the whole Debian system. Establishing such a trust chain should,
> > indeed, require some vetting by at least one Debian Developer, so that
> > malicious packages can be rejected, if needs be.
> I've always been a bit unhappy about the idea of using keys to decide
> which repositories are trusted or not. The signature is there primarily
> to act as an anti-MITM tool. This is a bit similar (or maybe
> equivalent) to the difference between authentication and authorization
> for access control.
What would you suggest instead?
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26