[maemo-developers] Maemo extras repository package uploader/maintainer verification?
From: Eero Tamminen eero.tamminen at nokia.comDate: Fri Jan 22 19:08:50 EET 2010
- Previous message: Maemo extras repository package uploader/maintainer verification?
- Next message: Maemo extras repository package uploader/maintainer verification?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, ext Marcin Juszkiewicz wrote: > Dnia piątek, 22 stycznia 2010 o 14:03:18 Andrew Flegg napisał(a): >> On Fri, Jan 22, 2010 at 12:59, Simon Pickering <S.G.Pickering at bath.ac.uk> > wrote: >>> I'd suggest that the autobuilder checks to see that the uploader's email >>> address is included in one of the *Maintainer fields; but there is the >>> slight problem of what happens when someone is uploading someone else's >>> package (e.g. as a favour when they are away from a build machine)? >> There's also packages which are maintained by a team but uploaded by >> an individual. There must be somebody who is responsible for the uploaded package and some way to contact him. The uploader must have somehow verified that the package isn't e.g. malicious (even if it's just taken from a trusted source). If it's a team, they might even share the ssh-key. But I think it would be better to have some configuration thing where Maintainer can grant upload rights for his package to others he trusts. Let's take the hypothetical case of there being a malicious Garage developer and somebody finds that e.g. his funny fart app is actually a trojan. How we can identify and check what else that person has uploaded to Maemo repos? After there's notification about the issue to users, how they can check whether the specific version of a foobar applications they've downloaded from the extras isn't actually uploaded by this suspicious person? The maintainer field gives users some trust: "Oh, this app is from the same maintainer / uploader as all these other nice apps, so I can trust it". If the maintainer field isn't validated in anyway, this trust is misplaced. > Sure, but iirc Debian handles it by having Maintainer and Uploaders fields. Sounds a good idea. I think maintainer fields should still be checked as that's what's presented to users, not Uploader field. > From my point of view Maemo packages should have Maintainer field changed even > when there is no changes in Debian package (other then recompilation). > > Why? Simple - how original maintainer can maintain package on platform unknown > to him? On system which is not Debian even... Agree 100%. - Eero
- Previous message: Maemo extras repository package uploader/maintainer verification?
- Next message: Maemo extras repository package uploader/maintainer verification?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]