On 28 Nov 1997, Rob Browning wrote:
[snip]
> This situation makes me think we might eventually want a database
> which can be used to list "problem" packages. dpkg would refuse to
> install any packaage whose name glob-matched a line in the database
> unless the user uses something like --force-problem-packages. We
> could then just list IE there:
>
> # /etc/dpkg/problem-packages
> # Package-name Version
>
> internet-explorer* *
I think such a "blacklist" goes too far (cf. the current discussion on
debian-private about "censored" packages). I don't think we should
maintain such a list.
However, we should probably implement something like the "Origin:" field.
With that, dpkg could keep a list of vendors from which packages have
already been installed on the system. If one tries to install a package
from an unknown vendor (i.e., someone from which no packages have been
installed already), dpkg should issue a warning before performing the
installation.
Ideally, all packages would be digitally signed by PGP. One could have a
public keyring on each system and dpkg would actually check the origin
_and_ the pgp signature of the packages to be installed. This would even
avoid the case of someone faking the "Origin" field.
Thanks,
Chris
-- _,, Christian Schwarz
/ o \__ [EMAIL PROTECTED], [EMAIL PROTECTED],
! ___; [EMAIL PROTECTED], [EMAIL PROTECTED]
\ /
\\\______/ ! PGP-fp: 8F 61 EB 6D CF 23 CA D7 34 05 14 5C C8 DC 22 BA
\ / http://fatman.mathematik.tu-muenchen.de/~schwarz/
-.-.,---,-,-..---,-,-.,----.-.-
"DIE ENTE BLEIBT DRAUSSEN!"
