1 |
On 01/08/04 10:56:43, Paul de Vrieze wrote: |
2 |
> On Thursday 08 January 2004 08:12, John Nilsson wrote: |
3 |
> > > Uh, how silly. Either you trust someone with the whole tree or you |
4 |
> > > don't trust them at all. |
5 |
> > |
6 |
> > Why not build something around a "web of trust" with pgp signatures? |
7 |
> > Have an open tree where people could submit anything that passed |
8 |
> > autotests. All submisions would be signed. Signed content could only |
9 |
> > get updated buy user with same signature or dev with higher trust for |
10 |
> > that area. |
11 |
> |
12 |
> This does not help at all for initial submissions. It allows anyone who |
13 |
> knows how to create a pgp key to get something in the tree. However if |
14 |
> you make some nuances to this idea, I think it could be workable. |
15 |
|
16 |
This was kind of the idea... In the future I would like a system where any |
17 |
developer can publish their project as an ebuild, just as one would put an rpm |
18 |
or install script on the web to day. |
19 |
|
20 |
Point beeing thar some submissions would be screened by core devs and signed |
21 |
by them. Some trusted signs would be signed by core devs. When the |
22 |
infrastructure is up the decision to trust an ebuild is entirely up to the |
23 |
sys-admin: latest and greatest with a serious secutity risk or only ebuilds |
24 |
trusted by core devs. |
25 |
|
26 |
I also see the portage tree evolving from a big hunk of files mirrored all |
27 |
over the place, into a web in its on right. |
28 |
|
29 |
/John |