[maemo-developers] Maemo extras repository package uploader/maintainer verification?

From: Eero Tamminen eero.tamminen at nokia.com
Date: Fri Jan 22 19:08:50 EET 2010 
Hi,

ext Marcin Juszkiewicz wrote:
> Dnia piątek, 22 stycznia 2010 o 14:03:18 Andrew Flegg napisał(a):
>> On Fri, Jan 22, 2010 at 12:59, Simon Pickering <S.G.Pickering at bath.ac.uk> 
> wrote:
>>> I'd suggest that the autobuilder checks to see that the uploader's email
>>> address is included in one of the *Maintainer fields; but there is the
>>> slight problem of what happens when someone is uploading someone else's
>>> package (e.g. as a favour when they are away from a build machine)?
>> There's also packages which are maintained by a team but uploaded by
>> an individual.

There must be somebody who is responsible for the uploaded package and
some way to contact him.  The uploader must have somehow verified that
the package isn't e.g. malicious (even if it's just taken from a trusted
source).

If it's a team, they might even share the ssh-key.  But I think it would
be better to have some configuration thing where Maintainer can grant
upload rights for his package to others he trusts.


Let's take the hypothetical case of there being a malicious Garage
developer and somebody finds that e.g. his funny fart app is actually
a trojan.  How we can identify and check what else that person has
uploaded to Maemo repos?  After there's notification about the issue
to users, how they can check whether the specific version of a foobar
applications they've downloaded from the extras isn't actually uploaded
by this suspicious person?

The maintainer field gives users some trust: "Oh, this app is
from the same maintainer / uploader as all these other nice apps, so
I can trust it".  If the maintainer field isn't validated in anyway,
this trust is misplaced.


> Sure, but iirc Debian handles it by having Maintainer and Uploaders fields. 

Sounds a good idea.  I think maintainer fields should still be checked
as that's what's presented to users, not Uploader field.


> From my point of view Maemo packages should have Maintainer field changed even 
> when there is no changes in Debian package (other then recompilation).
> 
> Why? Simple - how original maintainer can maintain package on platform unknown 
> to him? On system which is not Debian even...

Agree 100%.


	- Eero
More information about the maemo-developers mailing list