On Tue, 27 Feb 2001, Peter S Galbraith wrote: > In fact, make _sure_ you don't allow access to a signed .changes > file on an unofficial web page because that would allow anybody > to upload it to Debian. It's signed after all.
Are the Debian upload queues not all password-protected? If they are, then the only danger is that another developer would upload your packages to the queue, and that's as much a hanging offense as if they uploaded trojan packages of their own, so. :) If they aren't all password-protected, then how can we cryptographically sign packages which are not suitable for upload into Debian that we want to distribute from our own sites? Steve Langasek postmodern programmer