> On Mar 9, 2012, at 3:31 AM, Lucas Adamski wrote: > Also how will a user know which store's to trust?
[apologies to the dev-security list, the reply i wrote went to the original recipients, i hadn't noted the addition of dev-security as it was later in the thread. you can see a copy of what i wrote, which is the background behind this particular follow-up reply, here: https://groups.google.com/d/msg/mozilla.dev.b2g/AQYPkIjKxjE/65jok-pPKw0J ] in the case of the debian distribution, that's encoded into the /etc/apt/sources.list file. if users edit that file and start adding e.g. "deb http://debian-multimedia.org"; then they get prompted "WARNING! application from untrusted source! wark wark". if however they also take an *extra* step which is to add the debian-multimedia keyring package (which, of course, will fire up a "WARNING! application from untrusted source! wark wark" warning), *then* they're ok, and have *actively* taken steps to say "we trust packages from source named debian-multimedia.org". l. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
