Quoting shirish शिरीष (2013-05-25 16:10:20) > On Sat, May 25, 2013 at 6:16 AM, Jaseem Abid <jaseemabid@gmail.com> > wrote: > > I remember having a talk with Praveen while we were packaging gems > > for Debian - where he mentioned that often system administrators > > install packages only from official repos and not with gems, pip > > etc. Since anybody can run a PPA, how do we deal with the > > trust/authenticity issue? How is it being done already? > > They are/were studying something called WebID, see this thread. There > are also few other alternatives which are/were also discussed on the > parent thread as well. > > https://lists.debian.org/debian-devel/2013/05/msg01070.html > > Also the Debian Archives seem to be different than the Ubuntu PPA's > pretty significantly . WebID is IMO a quite exciting emerging protocol, but the concerns raised at the recent Debian mailinglist thread is an important one to have addressed - not only for Debian but for WebID in general. The authentication system currently used by central Debian admins (i.e. DAM I think) for use by non-central services is CAS. More info about CAS in Debian package libapache2-mod-auth-cas and corresponding upstream Homepage <http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas>. Beware, though, that CAS or WebID will only help identify _who_ offered some PPA/DPA/whatever - not its quality. ...but one of the features I find so very exciting about WebID is its ties to semantic web, which allows e.g. an independent decentralized "crowd-judgement" system to be setup across official and unofficial packages. Imagine being able to express this: "I want to subscribe to official stable Debian packages except those Jonas is involved in, if same is also offered in one of these 5 alternative unofficial sources and rated "decent" or better by at least 10 of my own friends or friends of friends." Hope that helps :-) - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature