Matt Zimmerman <email@example.com> writes:
> Argh, this is a show-stopper I think.
I disagree. It would still be good to offer the users the _ability_
to use only secure sources (for sensitive systems, for instance).
Also, including the security features will allow users to start
transitioning to all secure sources, and give packages distributers
incentive to secure their own sources (especially if apt complains a
bit). We can make this less painful by adding features to tools like
> So there's no real security unless every one of your sources is
This has always been the case. Any package can do anything to your
> These days, systems with unofficial sources in sources.list seem to be more
> common than those without.
There's nothing that says only official sources can be secure :)