This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On Wed, 2002-09-25 at 20:36, Chris January wrote: > > > *Updated* packages are trusted by default. They can be uploaded w/o > > > review. > > Not being funny, but this probably shouldn't be the case. I could easily > spoof some mail headers and get a compromised binary uploaded. I think there > should probably be a more thorough review process than there is for new > packages as well. For example, when I posted the procps packages, did anyone > check the binaries matched with the source code I posted? Did anyone check > that the source code without the Cygwin-specific patch matched the canonical > version? It only takes one mischievous person to ruin Cygwin's reputation. > Sorry to be the harbringer of doom and gloom, but I do agree with what > others have been saying that there has to be a mechanism to trust packagers. Right, well I'll happily run generate checksums of what I download, and if the poster to here posts the expected checksums, in a gpg signed message, then we can be fairly sure that whomever sent the email, created the package files. Generating trust in a specific GPG signature takes time or a web of trust, and is a related-but-separate discussion. I think that my GPG key is well associated with me by now :] (Either that, or a very persistence mimic :};}). One way would be for maintainers to follow a similar approach and consistently sign their emails. YMMV. Rob
Attachment:
signature.asc
Description: This is a digitally signed message part
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |