On Tue, 13 May 2003, Matthew Palmer wrote: > First off, thanks for the effort spent in getting this working. It seems > like it could be a useful resource for the non-DD packaging public (heh). I > have a few issues with your upload queue support, in particular. > First of all thanks for your feedback and compliments, we really appreciate it. > It appears as though anyone who has an account can upload any package they > like. While this isn't a pressing problem for sponsors (since they'll be > collecting source and checking the signatures on the .dsc), this could be a > *very* serious problem for anyone who starts relying on the binary packages > uploaded to m.d.n. What sort of protections do you have in place or plan to > put in place to protect against this sort of thing? > Well, actually the whole system is in a "real life" testing phase, this means that users can upload their packages mainly to test the server's repository fucntionality, I'm quite sure there are still some bugs which have to be discovered and fixed. We keep eyes open. In the meantime we're working on low and high level adminsitration tools which will allow us to easily mantain all the users accounts on the system and their respective uploaded packages, if some user isn't trustable it will be banned from the system. Of course we can't actually ensure that all uploaded packages on the system are secure, for now we trust the testers of the system but in future we'll introduce higher security standards. If someone can allready point out an eventual solution for this problem we'll open to consider any suggestion in order to improve the system. Furthermore I want and must remember anyone that the we won't be responsable for eventual security problems in the packages on the server, feel free to use the service we offer but at your own risk. For now we trust our users and I hope we don't ask to much. Best regards, I. -- )/_ _.--..---"-,--c_ Ivo Marino <eim@mentors.debian.net> \L..' ._O__)_ webpage http://mentors.debian.net/~eim/ -. _.+ _ \..--( / FreeNode irc.FreeNode.net #debian-mentors `\.-''__.-' \ ( \_ Debian Mentors, A Public Package Repository `''' `\__ /\ ')
Attachment:
pgp2LLpZ6M_wv.pgp
Description: PGP signature