]] Wouter Verhelst > Having said that, I do agree with you that we should not allow just > about anyone to create a repository which will be automatically trusted > by the whole Debian system. Establishing such a trust chain should, > indeed, require some vetting by at least one Debian Developer, so that > malicious packages can be rejected, if needs be.
I've always been a bit unhappy about the idea of using keys to decide which repositories are trusted or not. The signature is there primarily to act as an anti-MITM tool. This is a bit similar (or maybe equivalent) to the difference between authentication and authorization for access control. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87sia2isgc....@xoog.err.no
