On Mon, 23 Aug 2004 14:46, Bron Gondwana <[EMAIL PROTECTED]> wrote: > > Removing developers who don't meet certain criteria (EG no package > > uploads for 6 months) from active status makes a lot of sense. Anyone > > care to propose a GR? > > This doesn't work. The problem is basically: > > a) what about a package which they uploaded while valid, more than 6 months > ago, that someone wants to download and install now.
That package doesn't matter, if they don't have active status then the Debian server machines won't accept it. > b) if by date, what's to stop someone backdating a package and falsifying a > mirror/proxy with a copy of their package. The signature will still > check out. Because they can't go back in time and get the Debian server to accept the package. > If you wanted to implement this the only safe way to do it and have the > original packages by ex-developers still installable is to have a central > daemon check the signature and co-sign the fact that they checked the > signature at a certain date (upload date) and that it was valid as of that > time. Isn't the entire point of apt security extensions to make sure that the packages can only be accepted if they come from the Debian server not another server that impersonates it? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
