[maemo-developers] Maemo extras repository package uploader/maintainer verification?
From: Anderson Lizardo anderson.lizardo at openbossa.orgDate: Fri Jan 22 20:11:23 EET 2010
- Previous message: Maemo extras repository package uploader/maintainer verification?
- Next message: Maemo extras repository package uploader/maintainer verification?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jan 22, 2010 at 1:08 PM, Eero Tamminen <eero.tamminen at nokia.com> wrote: > There must be somebody who is responsible for the uploaded package and > some way to contact him. The uploader must have somehow verified that > the package isn't e.g. malicious (even if it's just taken from a trusted > source). > > If it's a team, they might even share the ssh-key. But I think it would > be better to have some configuration thing where Maintainer can grant > upload rights for his package to others he trusts. > [snip] I (personally) think that the Maintainer field doesn't need to match a valid user in garage, but I also think that we should have a obligatory PGP signing (authenticated by the autobuilder), which can then be shared by members of a team (for team maintained packages). The e-mail itself is IMHO only a small percent of what can be manipulated on a package... Ok we have md5 sums, but PGP gives both integrity and authorship guarantees, and any rebuilds by third parties (intentional or not) will invalidate the PGP signature. My two cents, -- Anderson Lizardo OpenBossa Labs - INdT Manaus - Brazil
- Previous message: Maemo extras repository package uploader/maintainer verification?
- Next message: Maemo extras repository package uploader/maintainer verification?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]