[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


From: =?iso-8859-1?Q?Nicol=E1s_Lichtmaier?= <nick@Feedback.com.ar>
> Yes, they are. Testing, and revising developers diffs. If you could check
> package MD5 (someday we'll be able to do this =3D) ), you'll only need to
> see the diff.gz to check for security problems (Asuming we can trust the
> mainstream developer).

What Nick is trying to say here is that we are working on procedures for
signing source packages all the way back to the original author, and making
it easy to see exactly what Debian has changed. We had it _almost_ right.

> The proble left is: The .deb uploaded can be generated by a source not
> included in the source package. It would be great if gcc placed some kind
> of signature in binaries...

But how do you guarantee that someone doesn't pervert gcc?

> let's make all developers upload only the source versions of their
> packages! An automated script can compile all the packages in some trusted
> environment.

When I last heard, we had some 240 (out of 900) packages not converted to
the new source format. This gets in the way of automatic compilation.
Volunteers to work on that are welcome.


Bruce Perens K6BP   Bruce@Pixar.com   510-215-3502
Finger bruce@master.Debian.org for PGP public key.
PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6  1F 89 6A 76 95 24 87 B3 

Reply to: