Re: The Debian Mentors Project
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ivo Marino wrote:
Checking application/pgp-signature: FAILURE
- -- Start of PGP signed section.
> On Tue, 13 May 2003, Matthew Palmer wrote:
> > It appears as though anyone who has an account can upload any package they
> > like. While this isn't a pressing problem for sponsors (since they'll be
> > collecting source and checking the signatures on the .dsc), this could be a
> > *very* serious problem for anyone who starts relying on the binary packages
> > uploaded to m.d.n. What sort of protections do you have in place or plan to
> > put in place to protect against this sort of thing?
> >
> If someone can allready point out an eventual solution for this problem
> we'll open to consider any suggestion in order to improve the system.
If I may make a suggestion, a user should only be able to upload a
package that either:
a) doesn't appear in the repository
- -or-
b) already has the uploader as maintainer
- -or-
c) has a RFA/O bug filed in WNPP
That should provide a first line of defense against trojan packages.
Just my $0.02. Thanks again for the great service!
Joe Nahmias, DD wannabe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+wGkTKl23+OYWEqURAgQXAJ9eGulgQVmFNXWWKA4wjsXsE6rBpQCgzmXU
HZOK/xdP8In+D2KLotkkSdk=
=MZ9j
-----END PGP SIGNATURE-----
Reply to: