[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: upload with name of sponsored person?

> I much prefer to get their source package, md5sum the .orig.tar.gz
> against upstream, and read the diff. Only then build the package and
> sign it. Call me paranoid. It's really not a lot harder though.

I don't think you're all that paranoid.  It's part of the responsibility
of the sponsor to double check the code, just in case.  While it'd be ugly
if someone trojaned something and tried to put it into Debian, it'd be
twice as ugly and many time more embarrasing to be the sponsor who ended
up putting the code in.

Unlike almost any other distribution, Debian ends up 'out the door' right
away (for anyone running unstable).  That little bit of paranoia is
healthy, IMHO.


Reply to: