On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote: > Even if it creates a checksum file, someone could always hand-edit the > package to add files not listed in the checksum files and we need to > decide whether that's something that needs to be catched and if yes by > whom and at what point.
Do you mean a maintainer, who hand-edits a package after it was built, or do you mean an adversery who has evil intentions? If the former, then this should just be forbidden. If the latter, than this can be solved by package signatures. harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100416010251.ga25...@sbs288.lan
