> they get one and only one chance to do something that stupid.
So the answer is that we have no way of preventing a developer from
intentionally sabotaging a package in any / as many ways as they choose and
the only risk to them is losing their uploader access after the fact?
>the response is sw
On Mon, May 23, 2022 at 7:59 PM Adam McKenna wrote:
> You are talking about a deterrent though. I think the question is,
> what if someone cares more about their political cause than
> retaining their uploader access?
they get one and only one chance to do something that stupid.
> What if someo
> anyone stupid enough to abuse their position may only do so once, at
which point their GPG key is revoked.
You are talking about a deterrent though. I think the question is, what if
someone cares more about their political cause than retaining their
uploader access?
What if someone's keys are
> i believe the answer is in the question. debian is based on distributed
trust. i did the analysis (took 3 weeks): it is literally the only distro
in the world with an inviolate chain of trust from a large keyring dating
back 20 years that is itself GPG-signed as a package, with a package
distrib
4 matches
Mail list logo
