-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ivo Marino wrote:
Checking application/pgp-signature: FAILURE - -- Start of PGP signed section. > On Tue, 13 May 2003, Matthew Palmer wrote: > > It appears as though anyone who has an account can upload any package they > > like. While this isn't a pressing problem for sponsors (since they'll be > > collecting source and checking the signatures on the .dsc), this could be a > > *very* serious problem for anyone who starts relying on the binary packages > > uploaded to m.d.n. What sort of protections do you have in place or plan to > > put in place to protect against this sort of thing? > > > If someone can allready point out an eventual solution for this problem > we'll open to consider any suggestion in order to improve the system. If I may make a suggestion, a user should only be able to upload a package that either: a) doesn't appear in the repository - -or- b) already has the uploader as maintainer - -or- c) has a RFA/O bug filed in WNPP That should provide a first line of defense against trojan packages. Just my $0.02. Thanks again for the great service! Joe Nahmias, DD wannabe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+wGkTKl23+OYWEqURAgQXAJ9eGulgQVmFNXWWKA4wjsXsE6rBpQCgzmXU HZOK/xdP8In+D2KLotkkSdk= =MZ9j -----END PGP SIGNATURE-----
