On Tue, 27 Feb 2001, Peter S Galbraith wrote:
> In fact, make _sure_ you don't allow access to a signed .changes
> file on an unofficial web page because that would allow anybody
> to upload it to Debian. It's signed after all.
Are the Debian upload queues not all password-protected? If they are, then
the only danger is that another developer would upload your packages to the
queue, and that's as much a hanging offense as if they uploaded trojan
packages of their own, so. :)
If they aren't all password-protected, then how can we cryptographically sign
packages which are not suitable for upload into Debian that we want to
distribute from our own sites?
Steve Langasek
postmodern programmer
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
