> > Greg Stark writes: > > > We've got be be a little more careful with the Replaces header. I just > > > installed the libc6 version of comerr, and dpkg helpfully deinstalled > > > e2fsprogs.
I can see a security problem with this. Lets jump ahead several months when we have deity working. A user points deity to several sites, some providing a bunch of debs that they have created but don't want to be part of the main distribution. Now they upload a new package, call it libc6-<big version number> that replaces all kinds of packages, and whatever else they want to do. Most of you will dismiss this as "they deserved what they got" at this point, but I think we should start worrying about these possibilities. How about prompting the user before deleting a package because it was replaced (of course we need to think about non-interactive installations too). I'd also be interested in some kind of verification, so I can accept all packages put together by some maintainer, and the maintainers on the debian keyring, but no one else. We have time to think about this, but the sooner the better in my opinion. Thanks, Brandon ----- Brandon Mitchell <[EMAIL PROTECTED]> "We all know linux is great... it PGP: finger -l [EMAIL PROTECTED] does infinite loops in 5 seconds" Phone: (757) 221-4847 --Linus Trovalds -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
