On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote: > ]] Wouter Verhelst > > > Having said that, I do agree with you that we should not allow just > > about anyone to create a repository which will be automatically trusted > > by the whole Debian system. Establishing such a trust chain should, > > indeed, require some vetting by at least one Debian Developer, so that > > malicious packages can be rejected, if needs be. > > I've always been a bit unhappy about the idea of using keys to decide > which repositories are trusted or not. The signature is there primarily > to act as an anti-MITM tool. This is a bit similar (or maybe > equivalent) to the difference between authentication and authorization > for access control.
What would you suggest instead? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150609165225.ga5...@grep.be
