I've occasionally wondered about upgrading from servers, which may have been conmpromised... What if the package-upgrader had an option to wait a week after downloading to actually perform the upgrade? Then there would be an opportunity to cancel the upgrade in case news of compromise got out. Of course, it would not help against undetected compromises... -- hendrik