[maemo-developers] Maemo extras repository package uploader/maintainer verification?

From: Anderson Lizardo anderson.lizardo at openbossa.org
Date: Fri Jan 22 20:11:23 EET 2010
On Fri, Jan 22, 2010 at 1:08 PM, Eero Tamminen <eero.tamminen at nokia.com> wrote:
> There must be somebody who is responsible for the uploaded package and
> some way to contact him.  The uploader must have somehow verified that
> the package isn't e.g. malicious (even if it's just taken from a trusted
> source).
>
> If it's a team, they might even share the ssh-key.  But I think it would
> be better to have some configuration thing where Maintainer can grant
> upload rights for his package to others he trusts.
> [snip]

I (personally) think that the Maintainer field doesn't need to match a
valid user in garage, but I also think that we should have a
obligatory PGP signing (authenticated by the autobuilder), which can
then be shared by members of a team (for team maintained packages).

The e-mail itself is IMHO only a small percent of what can be
manipulated on a package... Ok we have md5 sums, but PGP gives both
integrity and authorship guarantees, and any rebuilds by third parties
(intentional or not) will invalidate the PGP signature.

My two cents,
-- 
Anderson Lizardo
OpenBossa Labs - INdT
Manaus - Brazil
More information about the maemo-developers mailing list