On Mon, May 12, 2003 at 05:41:40PM -0600, Jack Moffitt wrote: > Ivo Marino wrote: > > Of course we can't actually ensure that all uploaded packages on the > > system are secure, for now we trust the testers of the system but in > > future we'll introduce higher security standards. > > > > If someone can allready point out an eventual solution for this problem > > we'll open to consider any suggestion in order to improve the system. > > Perhaps an easy thing to do would just be to show whether or not a > pckage is signed by a key which is signed by a real debian developer. > Ie, use the web of trust. Then at least one can be reasonable sure that > the maintainer is real.
Surely getting that signature is the whole point of the system in the first place? I'd be half-inclined to make the download password-protected; anyone can get a valid password just by asking, but the expectation is that only developers should be downloading the packages, and this discourages people from shoving it into apt lines. -- Colin Watson [EMAIL PROTECTED]
