1 |
On Thu, Jun 06, 2002 at 08:56:30PM +0200, Alexander Holler wrote: |
2 |
> Hello, |
3 |
> |
4 |
> what do you think about signing the ebuilds and digests with gpg? |
5 |
> |
6 |
> That would make it harder for blackhats to introduce a worm or something |
7 |
> similiar (if they have got access to an rsync mirror). |
8 |
> |
9 |
> My idea is to automatically sign the released ebuilds (before mirroring |
10 |
> them) with a key of gentoo.org. |
11 |
> |
12 |
> Then emerge could check the sign and could discard wrong ebuilds or just |
13 |
> throws a warning (preferable customized with make.conf). |
14 |
> |
15 |
> Just my 2 cents. ;) |
16 |
> |
17 |
> |
18 |
> Alexander |
19 |
> |
20 |
> _______________________________________________ |
21 |
> gentoo-dev mailing list |
22 |
> gentoo-dev@g.o |
23 |
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
24 |
|
25 |
The goal is to have packages that are of high quality. |
26 |
|
27 |
One solution is to only allow one or a small number of trusted people to |
28 |
change the packages. Development is slow and it is safe from trouble |
29 |
makers. Debian uses this solution. |
30 |
|
31 |
Another solution is to let anyone submit and change packages. |
32 |
Development is fast but it is not safe from trouble makers. |
33 |
|
34 |
My solution is to allow anyone to submit changes but also have a rating |
35 |
system in place to gauge the trust people should place on a package. |
36 |
Development is fast and is safe from trouble makers. |
37 |
|
38 |
Of course my solution is not clear cut. There are many possible ways to |
39 |
measure the trust people should place on a package. If it is brand new |
40 |
it should not be trusted. If it has been used by many people and they |
41 |
think it is trustworthy than it can be trusted. If the changes were made |
42 |
by a trusted developer than it can be trusted. etc... |
43 |
|
44 |
I have used Debian for a long time and I would hate to see Gentoo become |
45 |
plagued with the same problems they have. |
46 |
|
47 |
-- |
48 |
Jeremiah Mahler |
49 |
<jmahler@×××××××.net> |