[maemo-developers] Maemo extras repository package uploader/maintainer verification?

From: Anderson Lizardo anderson.lizardo at openbossa.org
Date: Fri Jan 22 20:11:23 EET 2010
On Fri, Jan 22, 2010 at 1:08 PM, Eero Tamminen <eero.tamminen at nokia.com> wrote:
> There must be somebody who is responsible for the uploaded package and
> some way to contact him.  The uploader must have somehow verified that
> the package isn't e.g. malicious (even if it's just taken from a trusted
> source).
> If it's a team, they might even share the ssh-key.  But I think it would
> be better to have some configuration thing where Maintainer can grant
> upload rights for his package to others he trusts.
> [snip]

I (personally) think that the Maintainer field doesn't need to match a
valid user in garage, but I also think that we should have a
obligatory PGP signing (authenticated by the autobuilder), which can
then be shared by members of a team (for team maintained packages).

The e-mail itself is IMHO only a small percent of what can be
manipulated on a package... Ok we have md5 sums, but PGP gives both
integrity and authorship guarantees, and any rebuilds by third parties
(intentional or not) will invalidate the PGP signature.

My two cents,
Anderson Lizardo
OpenBossa Labs - INdT
Manaus - Brazil
More information about the maemo-developers mailing list