RE: Why should I trust sources?
On 19-Aug-2002 Patrick Wiseman wrote:
> Being interested in setedit, recently recommended in another thread, I
> went to
>
> http://setedit.sourceforge.net/
>
> and found the following advice:
>
> An experimental Debian repository is maintained by Ivan, you can add the
> following to your /etc/apt/sources.list:
> deb http://setedit.sourceforge.net/debian unstable main
>
> I did that and then, duh, thought "why am I trusting this site to download
> and install software?" And then it occurred to me that the whole debian
> philosophy turns on my being that trusting. (Not that it's unique in
> that.)
>
Each and every Debian package is gpg signed by its maintainer. The Packages
file is signed by the ftp admin. An md5sum of the package is also maintained
and signed. So you can be paranoid and ensure the packages on your system are
the ones from Debian.
Anything beyond that requires much higher levels of trust. This sourceforge
apt source may have packages created by someone who knows nothing of Debian's
policies. Or it might have been improperly compiled. There are many reasons
not to trust a lone source. Within Debian we have policies to control what
goes in, how to handle bad uploads, bugs, etc. This is one of our strong
points over other distributions.
Personally, I do not add any source to my apt list unless I know the maintainer
of the site and of the package's involved.
Shaleh
shaleh@debian.org
Reply to: