On Wed, Feb 21, 2001 at 10:54:38PM +0100, Christian Hammers wrote: > You forgot to tell about security. More and more people are concerned about > trojans in automatically downloaded packages. I know that there's no really > good solution as in the end it is all software from different authors but > we must at least do a bit more for security. Proposals are e.g. > * APT could automatically check signatures on downloaded sources > * APT could automatically check signatures on packages which the maintainer > has self builded. > * A task force could check the diffs and md5sum check the .orig.tar.gz's for > malicious code - yeah, I know it's easy to hide but we normally don't have > that much source code changes outside the /debian dir. > * something. At least make the users aware how much or less the security they > get from RedHats signed packages really is for them. > * More more people for the security fix team.
As Ben Collins pointed out, most of this is already underway. I was aware of it because John Goerzen has been working on it, and John and I work for the same company, and were officemates at the time he wrote his white paper on package signatures. Aside from seeing if we can swell the ranks of the security team, I think your other concerns are being addressed by some hardworking people already. I'm inclined to give them some time to bring their work to fruition before I indentify it in my platform as an issue that is being inadequately addressed. -- G. Branden Robinson | Men use thought only to justify their Debian GNU/Linux | wrong doings, and speech only to conceal [EMAIL PROTECTED] | their thoughts. http://www.debian.org/~branden/ | -- Voltaire
pgpyOdAdnHQRi.pgp
Description: PGP signature
