Steve Greenland wrote: > I think the key difference is that if some one screws with the BTS or > the Debian web site, it's not going to *me* any harm during the time > it takes to discover and undo the damage. If someone installs a bad or > malicious libc6 in the archive, a buncha people could get seriously > screwed.
Yes, but we have nothing in place right now to prevent anyone installing a bad or malicious package into the archive. Upgrades to packages that already exist are already installed automatically -- as far as I know this applies to NMU's as well; any developer can slip a bad or malicious package in and it will not be caught until it hits the mirrors. So I think your concern is orthagonal to what I am proposing. -- see shy jo