Ian Jackson <[EMAIL PROTECTED]> said:
> Bill Mitchell writes ("Re: changes file format "):
> > [...]
> > I also reiterate my suggestion that we stop the practice
> > of maintainers announcing directly (and prematurely)
> > to debian-changes, and have the maintainer announcements
> > uploaded to debian.org along with the other package files, [...]
>
> No, this has even worse security properties than the scheme we have at
> the moment. [...]
I agree that the current situation has security problems. I thought
a PGP-based scheme was the pending solution.
Anyhow, my point was that the package announcements shouldn't be made
directly to the world at large by dthe package maintainer, and made
before it's even been decided whether the announced package will
be placed in the distribution, as is currently done. Instead, the
announcement should be made when the package is placed in the distribution.
This should of course be done consistent with whatever security mechanisms
we decide to put in place.
As an aside, I think we should make some decisions about what the
security requirements actually are before we start implementing
security measures. There are generally tradeoffs between security
level and convenience (or lack thereof), and we ought to make those
tradeoffs in a reasoned manner.
