| 1 |
On Thu, Jun 06, 2002 at 08:56:30PM +0200, Alexander Holler wrote: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> what do you think about signing the ebuilds and digests with gpg? |
| 5 |
> |
| 6 |
> That would make it harder for blackhats to introduce a worm or something |
| 7 |
> similiar (if they have got access to an rsync mirror). |
| 8 |
> |
| 9 |
> My idea is to automatically sign the released ebuilds (before mirroring |
| 10 |
> them) with a key of gentoo.org. |
| 11 |
> |
| 12 |
> Then emerge could check the sign and could discard wrong ebuilds or just |
| 13 |
> throws a warning (preferable customized with make.conf). |
| 14 |
> |
| 15 |
> Just my 2 cents. ;) |
| 16 |
> |
| 17 |
> |
| 18 |
> Alexander |
| 19 |
> |
| 20 |
> _______________________________________________ |
| 21 |
> gentoo-dev mailing list |
| 22 |
> gentoo-dev@g.o |
| 23 |
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
| 24 |
|
| 25 |
The goal is to have packages that are of high quality. |
| 26 |
|
| 27 |
One solution is to only allow one or a small number of trusted people to |
| 28 |
change the packages. Development is slow and it is safe from trouble |
| 29 |
makers. Debian uses this solution. |
| 30 |
|
| 31 |
Another solution is to let anyone submit and change packages. |
| 32 |
Development is fast but it is not safe from trouble makers. |
| 33 |
|
| 34 |
My solution is to allow anyone to submit changes but also have a rating |
| 35 |
system in place to gauge the trust people should place on a package. |
| 36 |
Development is fast and is safe from trouble makers. |
| 37 |
|
| 38 |
Of course my solution is not clear cut. There are many possible ways to |
| 39 |
measure the trust people should place on a package. If it is brand new |
| 40 |
it should not be trusted. If it has been used by many people and they |
| 41 |
think it is trustworthy than it can be trusted. If the changes were made |
| 42 |
by a trusted developer than it can be trusted. etc... |
| 43 |
|
| 44 |
I have used Debian for a long time and I would hate to see Gentoo become |
| 45 |
plagued with the same problems they have. |
| 46 |
|
| 47 |
-- |
| 48 |
Jeremiah Mahler |
| 49 |
<jmahler@×××××××.net> |
Archives