On Wed, Feb 21, 2001 at 10:54:38PM +0100, Christian Hammers wrote: > On Tue, Feb 20, 2001 at 10:24:03PM -0500, Branden Robinson wrote: > > The purpose of this message is to outline the reasons I running for Debian > > Project Leader, and to present an idea of some specific things I would like > > to accomplish during my term, if elected. > You forgot to tell about security. More and more people are concerned about > trojans in automatically downloaded packages. I know that there's no really > good solution as in the end it is all software from different authors but > we must at least do a bit more for security. Proposals are e.g. > * APT could automatically check signatures on downloaded sources > * APT could automatically check signatures on packages which the maintainer > has self builded. > * A task force could check the diffs and md5sum check the .orig.tar.gz's for > malicious code - yeah, I know it's easy to hide but we normally don't have > that much source code changes outside the /debian dir. > * something. At least make the users aware how much or less the security they > get from RedHats signed packages really is for them. > * More more people for the security fix team.
Check out debsigs and debsigs-verify (the latter being on non-US). John Goerzen and I are working on package signing. IIRC, Jason and Anthony were working on a signed index of md5sums for the archive in addition to this. The only thing it is waiting for is integration with our current tools, and policy to back it up. -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=========------=======-------------=-=-----=-===-======-------=--=---'